ian at hixie.ch
Wed Aug 11 18:34:14 PDT 2010
On Thu, 22 Jul 2010, Luke Hutchison wrote:
> There has been a spate of facebook viruses in the last few months that
> have exploited social engineering and the ability to paste arbitrary
> themselves. Typically these show up as Facebook fan pages with an
> the addressbar to show whatever the title is talking about. However
> doing so scrapes your facebook friends list, and the virus mails itself
> to all your fb friends. [...]
> There is no legitimate reason that non-developers would need to paste
> be disabled by default on all browsers. (Of course this would not
This seems like a UI issue, so I haven't changed the spec (it doesn't
really talk about the location bar -- indeed it doesn't even require that
one be visible at all). However, should anyone want to discuss this
further, e.g. to organise browser vendor plans, you are welcome to do so.
On Thu, 22 Jul 2010, Boris Zbarsky wrote:
> On 7/22/10 5:03 PM, Mike Shaver wrote:
> This part the spec actually covers, I think; the url bar is supposed to say
> the url of the page that link was on, iirc. Which is what I think everyone
> this case.
Well, the requirement (search for "override URL" to see what we're talking
about here) isn't on the location bar per se -- it's just on what "the
document's address" is, which is used in some of the APIs. You don't have
to show that, indeed you could show both, or something else, or nothing.
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg