[whatwg] Please disallow "javascript:" URLs in browser address bars

Luke Hutchison luke.hutch at mit.edu
Thu Jul 22 16:30:32 PDT 2010


On Thu, Jul 22, 2010 at 7:17 PM, Paul Ellis <paul at ellisfoundation.com> wrote:
> This seems to be the wrong venue for this discussion but it is worth noting
> that IE8 doesn't allow drag-and-drop of javascript: links to the favorites
> bar. If you do right-click->Add to Favorites for a javascript: link it
> prompts "You are adding a favorite that might not be safe. Do you want to
> continue?" So clearly they think there is some security risk there. It
> doesn't impede a user from copying the link though and pasting it in the URL
> bar though.

All the browsers do this for extensions, and Chrome does it for its
pure-JS extensions as well as for Greasemonkey scripts.  It's actually
quite surprising that none of the browsers other than IE8 protect
against bookmarklets the way they protect against extensions.

On Thu, Jul 22, 2010 at 7:17 PM, Paul Ellis <paul at ellisfoundation.com> wrote:
> Even though I regularly type JavaScript in the URL bar I think it would be a
> smart change to make that disabled by default. There are already other
> things I go into about:config for. :)
>
> Paul Ellis

I'm happy to move the discussion to another venue if somebody can
suggest a venue that the idea may have sufficient traction with the
different browser vendors.  (Or are they all here on this list and
they're not really gathered in one place on a list anywhere else?
Should there be another list on this site for issues outside the
WHATWG spec discussion, maybe?)

Luke


More information about the whatwg mailing list