[whatwg] Please disallow "javascript:" URLs in browser address bars

Ian Hickson ian at hixie.ch
Wed Aug 11 18:34:14 PDT 2010 

On Thu, 22 Jul 2010, Luke Hutchison wrote:
>
> There has been a spate of facebook viruses in the last few months that 
> have exploited social engineering and the ability to paste arbitrary 
> javascript into the addressbar of all major browsers to propagate 
> themselves.  Typically these show up as Facebook fan pages with an 
> eye-catching title that ask you to copy/paste a piece of javascript into 
> the addressbar to show whatever the title is talking about. However 
> doing so scrapes your facebook friends list, and the virus mails itself 
> to all your fb friends. [...]
> 
> There is no legitimate reason that non-developers would need to paste 
> "javascript:" URLs into the addressbar, and the ability to do so should 
> be disabled by default on all browsers.  (Of course this would not 
> affect the ability of browsers to successfully click on javascript 
> links.)

This seems like a UI issue, so I haven't changed the spec (it doesn't 
really talk about the location bar -- indeed it doesn't even require that 
one be visible at all). However, should anyone want to discuss this 
further, e.g. to organise browser vendor plans, you are welcome to do so.


On Thu, 22 Jul 2010, Boris Zbarsky wrote:
> On 7/22/10 5:03 PM, Mike Shaver wrote:
> > What should the URL bar say when the user clicks a javascript: link
> > which produces content?<a href="javascript:5;">five!</a>
> 
> This part the spec actually covers, I think; the url bar is supposed to say
> the url of the page that link was on, iirc.  Which is what I think everyone
> but Gecko does already; we actually show the javascript: url in the url bar in
> this case.

Well, the requirement (search for "override URL" to see what we're talking 
about here) isn't on the location bar per se -- it's just on what "the 
document's address" is, which is used in some of the APIs. You don't have 
to show that, indeed you could show both, or something else, or nothing.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

More information about the whatwg mailing list