[whatwg] Please disallow "javascript:" URLs in browser address bars
Aryeh Gregor
Simetrical+w3c at gmail.com
Thu Jul 22 13:41:52 PDT 2010
On Thu, Jul 22, 2010 at 4:32 PM, Luke Hutchison <luke.hutch at mit.edu> wrote:
> There is no legitimate reason that non-developers would need to paste
> "javascript:" URLs into the addressbar, and the ability to do so
> should be disabled by default on all browsers.
Sure there is: bookmarklets, basically. javascript: URLs can do lots
of fun and useful things. Also fun but not-so-useful things, like:
javascript:document.body.style.MozTransform=document.body.style.WebkitTransform=document.body.style.OTransform="rotate(180deg)";void(0);
(Credit to johnath for that one. Repeat with 0 instead of 180deg to
undo.) You can do all sorts of interesting things to the page by
pasting javascript: URLs into the URL bar. Of course, there are
obviously security problems here too, but "no legitimate reason" is
much too strong.
More information about the whatwg
mailing list