[whatwg] Please disallow "javascript:" URLs in browser address bars
Charles Iliya Krempeaux
supercanadian at gmail.com
Wed Aug 11 19:14:05 PDT 2010
On Thu, Jul 22, 2010 at 1:46 PM, Adam Barth <w3c at adambarth.com> wrote:
> On Thu, Jul 22, 2010 at 1:41 PM, Aryeh Gregor <Simetrical+w3c at gmail.com<Simetrical%2Bw3c at gmail.com>>
> wrote:
> > On Thu, Jul 22, 2010 at 4:32 PM, Luke Hutchison <luke.hutch at mit.edu>
> wrote:
> >> There is no legitimate reason that non-developers would need to paste
> >> "javascript:" URLs into the addressbar, and the ability to do so
> >> should be disabled by default on all browsers.
> >
> > Sure there is: bookmarklets, basically. javascript: URLs can do lots
> > of fun and useful things. Also fun but not-so-useful things, like:
> >
> javascript:document.body.style.MozTransform=document.body.style.WebkitTransform=document.body.style.OTransform="rotate(180deg)";void(0);
> >
> > (Credit to johnath for that one. Repeat with 0 instead of 180deg to
> > undo.) You can do all sorts of interesting things to the page by
> > pasting javascript: URLs into the URL bar. Of course, there are
> > obviously security problems here too, but "no legitimate reason" is
> > much too strong.
>
> We could allow bookmarklets without allowing direct pasting into the
> URL bar. That would make the social engineering more complex at
> least.
>
> Adam
>
Would a pop-up warning be sufficient, rather than disallowing it?
For example, if I write the following URL into Firefox...
http://charles@49research.com/
... Firefox will pop-up a modal dialog box with the following message...
> You are about to log in to the site "49research.com" with the username
> "charles", but the website does not require authentication. This may be an
> attempt to trick you.
>
> Is "49research.com" the site you want to visit?
>
> [yes] [no]
>
Perhaps a modal dialog box could pop-up for copy-and-pasted JavaScript URLs
to (after the user presses enter).
--
Charles Iliya Krempeaux, B.Sc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20100811/4f0e806d/attachment-0002.htm>
More information about the whatwg
mailing list