<br clear="all"><br><div class="gmail_quote">On Thu, Jul 22, 2010 at 1:46 PM, Adam Barth <span dir="ltr"><<a href="mailto:w3c@adambarth.com">w3c@adambarth.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div><div></div><div class="h5">On Thu, Jul 22, 2010 at 1:41 PM, Aryeh Gregor <<a href="mailto:Simetrical%2Bw3c@gmail.com">Simetrical+w3c@gmail.com</a>> wrote:<br>
> On Thu, Jul 22, 2010 at 4:32 PM, Luke Hutchison <<a href="mailto:luke.hutch@mit.edu">luke.hutch@mit.edu</a>> wrote:<br>
>> There is no legitimate reason that non-developers would need to paste<br>
>> "javascript:" URLs into the addressbar, and the ability to do so<br>
>> should be disabled by default on all browsers.<br>
><br>
> Sure there is: bookmarklets, basically. javascript: URLs can do lots<br>
> of fun and useful things. Also fun but not-so-useful things, like:<br>
> javascript:document.body.style.MozTransform=document.body.style.WebkitTransform=document.body.style.OTransform="rotate(180deg)";void(0);<br>
><br>
> (Credit to johnath for that one. Repeat with 0 instead of 180deg to<br>
> undo.) You can do all sorts of interesting things to the page by<br>
> pasting javascript: URLs into the URL bar. Of course, there are<br>
> obviously security problems here too, but "no legitimate reason" is<br>
> much too strong.<br>
<br>
</div></div>We could allow bookmarklets without allowing direct pasting into the<br>
URL bar. That would make the social engineering more complex at<br>
least.<br>
<font color="#888888"><br>
Adam<br>
</font></blockquote></div><br>Would a pop-up warning be sufficient, rather than disallowing it?<br><br>For example, if I write the following URL into Firefox...<br><br><a href="http://charles">http://charles</a>@<a href="http://49research.com/">49research.com/</a><br>
<br>... Firefox will pop-up a modal dialog box with the following message...<br><blockquote style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;" class="gmail_quote">You are about to log in to the site "<a href="http://49research.com">49research.com</a>" with the username "charles", but the website does not require authentication. This may be an attempt to trick you.<br>
<br>Is "<a href="http://49research.com">49research.com</a>" the site you want to visit? <br><br> [yes] [no]<br></blockquote><div><br>Perhaps a modal dialog box could pop-up for copy-and-pasted JavaScript URLs to (after the user presses enter).<br>
</div><br><br>--<br>Charles Iliya Krempeaux, B.Sc.<br><br><br>