[whatwg] Please disallow "javascript:" URLs in browser address bars

Charles Iliya Krempeaux supercanadian at gmail.com
Wed Aug 11 19:14:05 PDT 2010

On Thu, Jul 22, 2010 at 1:46 PM, Adam Barth <w3c at adambarth.com> wrote:

> On Thu, Jul 22, 2010 at 1:41 PM, Aryeh Gregor <Simetrical+w3c at gmail.com<Simetrical%2Bw3c at gmail.com>>
> wrote:
> > On Thu, Jul 22, 2010 at 4:32 PM, Luke Hutchison <luke.hutch at mit.edu>
> wrote:
> >> There is no legitimate reason that non-developers would need to paste
> >> "javascript:" URLs into the addressbar, and the ability to do so
> >> should be disabled by default on all browsers.
> >
> > Sure there is: bookmarklets, basically.  javascript: URLs can do lots
> > of fun and useful things.  Also fun but not-so-useful things, like:
> >
> javascript:document.body.style.MozTransform=document.body.style.WebkitTransform=document.body.style.OTransform="rotate(180deg)";void(0);
> >
> > (Credit to johnath for that one.  Repeat with 0 instead of 180deg to
> > undo.)  You can do all sorts of interesting things to the page by
> > pasting javascript: URLs into the URL bar.  Of course, there are
> > obviously security problems here too, but "no legitimate reason" is
> > much too strong.
> We could allow bookmarklets without allowing direct pasting into the
> URL bar.  That would make the social engineering more complex at
> least.
> Adam

Would a pop-up warning be sufficient, rather than disallowing it?

For example, if I write the following URL into Firefox...


... Firefox will pop-up a modal dialog box with the following message...

> You are about to log in to the site "49research.com" with the username
> "charles", but the website does not require authentication.  This may be an
> attempt to trick you.
> Is "49research.com" the site you want to visit?
>                       [yes]     [no]

Perhaps a modal dialog box could pop-up for copy-and-pasted JavaScript URLs
to (after the user presses enter).

Charles Iliya Krempeaux, B.Sc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20100811/4f0e806d/attachment-0002.htm>

More information about the whatwg mailing list