Skip to content

Don't allow the javascript: protocol in navigation.navigate() #11533

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 21, 2025
Merged

Don't allow the javascript: protocol in navigation.navigate() #11533

merged 1 commit into from
Aug 21, 2025

Conversation

@evilpie
Copy link
Member

@evilpie evilpie commented Aug 5, 2025
edited
Loading

navigation.navigate("javascript:alert(1)") is a new script execution sink that was newly added. We believe that it would be more useful for new APIs to not support the legacy javascript: protocol, compared to just keeping it because other APIs like location.href support it.

Fixes #11500

(See WHATWG Working Mode: Changes for more details.)

/nav-history-apis.html ( diff )

@annevk
Copy link
Member

annevk commented Aug 5, 2025

I discussed this with colleagues and while we don't really see any benefits to this, you can consider WebKit supportive as generally new APIs shouldn't spread badness.

domenic
domenic approved these changes Aug 19, 2025
View reviewed changes
Copy link
Member

@domenic domenic left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM once the PR template is filled out.

@evilpie evilpie mentioned this pull request Aug 20, 2025
Open
@evilpie
Copy link
Member Author

evilpie commented Aug 20, 2025

Thanks. I completed the PR template.

@leonardomenesesdev leonardomenesesdev mentioned this pull request Aug 20, 2025
Closed
@domenic domenic merged commit b7647a2 into whatwg:main Aug 21, 2025
2 checks passed
@evilpie evilpie mentioned this pull request Aug 27, 2025
Merged
basuke added a commit to basuke/WebKit that referenced this pull request Aug 27, 2025
@basuke
Navigation API: Don't allow the javascript: protocol in navigation.na…
14722b1 
…vigate()

https://bugs.webkit.org/show_bug.cgi?id=297650
rdar://158867866

Reviewed by NOBODY (OOPS!).

navigation.navigate("javascript:alert(1)") is a new script execution sink that was newly added.
We believe that it would be more useful for new APIs to not support the legacy javascript:
protocol, compared to just keeping it because other APIs like location.href support it.

whatwg/html#11533

* LayoutTests/http/wpt/navigation-api/navigation-methods/return-value/navigate-javascript-url-expected.txt: Added.
* LayoutTests/http/wpt/navigation-api/navigation-methods/return-value/navigate-javascript-url.html: Added.
* LayoutTests/http/wpt/navigation-api/navigation-methods/return-value/resources/helpers.js: Added.
(window.assertReturnValue):
(window.assertNeverSettles):
(window.assertBothFulfillEntryNotAvailable.async t):
(window.assertBothFulfill.async t):
(window.assertCommittedFulfillsFinishedRejectsExactly.async t):
(window.assertCommittedFulfillsFinishedRejectsDOM.async t):
(window.waitForAllLenient):
(window.assertBothRejectExactly.async t):
(window.assertBothRejectDOM.async t):
* Source/WebCore/page/Navigation.cpp:
(WebCore::Navigation::navigate):
@basuke basuke mentioned this pull request Aug 27, 2025
Merged
webkit-commit-queue pushed a commit to basuke/WebKit that referenced this pull request Aug 28, 2025
@basuke
Navigation API: Don't allow the javascript: protocol in navigation.na…
73dbd37 
…vigate()

https://bugs.webkit.org/show_bug.cgi?id=297650
rdar://158867866

Reviewed by Tim Nguyen.

navigation.navigate("javascript:alert(1)") is a new script execution sink that was newly added.
We believe that it would be more useful for new APIs to not support the legacy javascript:
protocol, compared to just keeping it because other APIs like location.href support it.

whatwg/html#11533

* LayoutTests/http/wpt/navigation-api/navigation-methods/return-value/navigate-javascript-url-expected.txt: Added.
* LayoutTests/http/wpt/navigation-api/navigation-methods/return-value/navigate-javascript-url.html: Added.
* LayoutTests/http/wpt/navigation-api/navigation-methods/return-value/resources/helpers.js: Added.
(window.assertReturnValue):
(window.assertNeverSettles):
(window.assertBothFulfillEntryNotAvailable.async t):
(window.assertBothFulfill.async t):
(window.assertCommittedFulfillsFinishedRejectsExactly.async t):
(window.assertCommittedFulfillsFinishedRejectsDOM.async t):
(window.waitForAllLenient):
(window.assertBothRejectExactly.async t):
(window.assertBothRejectDOM.async t):
* Source/WebCore/page/Navigation.cpp:
(WebCore::Navigation::navigate):

Canonical link: https://commits.webkit.org/299235@main
Jarred-Sumner pushed a commit to oven-sh/WebKit that referenced this pull request Aug 29, 2025
@basuke @Jarred-Sumner
Navigation API: Don't allow the javascript: protocol in navigation.na…
98a7e49 
…vigate()

https://bugs.webkit.org/show_bug.cgi?id=297650
rdar://158867866

Reviewed by Tim Nguyen.

navigation.navigate("javascript:alert(1)") is a new script execution sink that was newly added.
We believe that it would be more useful for new APIs to not support the legacy javascript:
protocol, compared to just keeping it because other APIs like location.href support it.

whatwg/html#11533

* LayoutTests/http/wpt/navigation-api/navigation-methods/return-value/navigate-javascript-url-expected.txt: Added.
* LayoutTests/http/wpt/navigation-api/navigation-methods/return-value/navigate-javascript-url.html: Added.
* LayoutTests/http/wpt/navigation-api/navigation-methods/return-value/resources/helpers.js: Added.
(window.assertReturnValue):
(window.assertNeverSettles):
(window.assertBothFulfillEntryNotAvailable.async t):
(window.assertBothFulfill.async t):
(window.assertCommittedFulfillsFinishedRejectsExactly.async t):
(window.assertCommittedFulfillsFinishedRejectsDOM.async t):
(window.waitForAllLenient):
(window.assertBothRejectExactly.async t):
(window.assertBothRejectDOM.async t):
* Source/WebCore/page/Navigation.cpp:
(WebCore::Navigation::navigate):

Canonical link: https://commits.webkit.org/299235@main
zcorpan pushed a commit to web-platform-tests/wpt that referenced this pull request Sep 17, 2025
@evilpie
Don't allow the javascript: protocol in navigation.navigate()
8da7ccb 
See whatwg/html#11533
lando-prod-mozilla bot pushed a commit to mozilla-firefox/firefox that referenced this pull request Sep 22, 2025
@moz-wptsync-bot
Bug 1985537 [wpt PR 54544] - Don't allow the javascript: protocol in …
df7becd 
…navigation.navigate(), a=testonly

Automatic update from web-platform-tests
Don't allow the javascript: protocol in navigation.navigate()

See whatwg/html#11533
--

wpt-commits: 8da7ccbffe21ee27d5fc7660e391c8fde7cad730
wpt-pr: 54544
i3roly pushed a commit to i3roly/firefox-dynasty that referenced this pull request Sep 24, 2025
@moz-wptsync-bot
Bug 1985537 [wpt PR 54544] - Don't allow the javascript: protocol in …
8671104 
…navigation.navigate(), a=testonly

Automatic update from web-platform-tests
Don't allow the javascript: protocol in navigation.navigate()

See whatwg/html#11533
--

wpt-commits: 8da7ccbffe21ee27d5fc7660e391c8fde7cad730
wpt-pr: 54544
mertcanaltin pushed a commit to mertcanaltin/wpt that referenced this pull request Oct 26, 2025
@evilpie @mertcanaltin
Don't allow the javascript: protocol in navigation.navigate()
66f1d77 
See whatwg/html#11533
This was referenced Nov 12, 2025
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@domenic domenic domenic approved these changes

Assignees

No one assigned

Labels

normative change topic: navigation

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Don't allow the javascript: protocol in navigation.navigate()

3 participants

@evilpie @annevk @domenic