[Bug 9767] New: Consider ignoring document.write() when IE ignores it if IE has a sane condition for ignoring it

http://www.w3.org/Bugs/Public/show_bug.cgi?id=9767

           Summary: Consider ignoring document.write() when IE ignores it
                    if IE has a sane condition for ignoring it
           Product: HTML WG
           Version: unspecified
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: critical
          Priority: P1
         Component: HTML5 spec (editor: Ian Hickson)
        AssignedTo: ian@hixie.ch
        ReportedBy: hsivonen@iki.fi
         QAContact: public-html-bugzilla@w3.org
                CC: bzbarsky@mit.edu, mike@w3.org, public-html@w3.org,
                    jonas@sicking.cc


At bugzilla.mozilla.org, we've gotten a very small but non-zero number of
reports about build with the HTML5 parser enabled showing blank pages.

In all cases, this has been about document.write() without an insertion point
blowing away the document. The dominant pattern is that there's browser
sniffing and the code path for IE does document.write("<script
src='another-script-that-calls-document-write.js'></script>"); and the code
path for Gecko does var s = document.createElement("script"); s.src =
"another-script-that-calls-document-write.js"; document.body.appendChild(s);.

Thus, the problem would go away if the sites removed sniffing and used the
IE-targeted loading method for all browsers. (There's also been one report of
MITM malware injecting this problem to pages.)

However, experimentation shows that IE itself mitigates the problem compared to
what the spec says by ignoring document.write() in some cases.
See https://bug560256.bugzilla.mozilla.org/attachment.cgi?id=446166 for an
example.

Ignoring document.write() without a defined insertion point during the parse
would not be a nice solution, because it would introduce a race between
asynchronous script loads and the parse finishing. Thus, authors whose network
made the script always load before the parser is done might not notice a
problem but users whose network makes the script fire after the parser is done
would get the document blown away.

I would guess there's a compat reason why document.write() after the parser is
done implies document.open(), so I suppose always ignoring document.write()
without a defined insertion point isn't a solution, either.

At least at this point, I haven't worked out what criteria IE uses.

I'm kinda expecting that the outcome here is that there is no non-racy solution
that isn't overly complex and this will be WONTFIX. However, I'm filing this
bug in case I'm missing something. If there is a sanely implementable non-racy
condition when IE ignores document.write(), it might be worthwhile to spec it.

-- 
Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.

Received on Wednesday, 19 May 2010 07:43:55 UTC