[whatwg] Please disallow "javascript:" URLs in browser address bars

Aryeh Gregor Simetrical+w3c at gmail.com
Thu Jul 22 13:41:52 PDT 2010


On Thu, Jul 22, 2010 at 4:32 PM, Luke Hutchison <luke.hutch at mit.edu> wrote:
> There is no legitimate reason that non-developers would need to paste
> "javascript:" URLs into the addressbar, and the ability to do so
> should be disabled by default on all browsers.

Sure there is: bookmarklets, basically.  javascript: URLs can do lots
of fun and useful things.  Also fun but not-so-useful things, like:

javascript:document.body.style.MozTransform=document.body.style.WebkitTransform=document.body.style.OTransform="rotate(180deg)";void(0);

(Credit to johnath for that one.  Repeat with 0 instead of 180deg to
undo.)  You can do all sorts of interesting things to the page by
pasting javascript: URLs into the URL bar.  Of course, there are
obviously security problems here too, but "no legitimate reason" is
much too strong.


More information about the whatwg mailing list