[whatwg] Please disallow "javascript:" URLs in browser address bars

Luke Hutchison luke.hutch at mit.edu
Thu Jul 22 13:32:39 PDT 2010

There has been a spate of facebook viruses in the last few months that
have exploited social engineering and the ability to paste arbitrary
javascript into the addressbar of all major browsers to propagate
themselves.  Typically these show up as Facebook fan pages with an
eye-catching title that ask you to copy/paste a piece of javascript
into the addressbar to show whatever the title is talking about.
However doing so scrapes your facebook friends list, and the virus
mails itself to all your fb friends.

Frequently these viruses will redirect to a legit-looking page after
propagating themselves, so the user doesn't know they have been duped
until one of their friends ask why they sent out the link.  In most
cases nobody says anything because it looks like a legitimate shared
link (and there's so much junk shared on facebook anyway that nobody
can tell the difference!) -- as a result these viruses have been
wildly successful, accumulating tens of thousands of "Like"s before
anybody even reports the page as spam.

An example:


There is no legitimate reason that non-developers would need to paste
"javascript:" URLs into the addressbar, and the ability to do so
should be disabled by default on all browsers.  (Of course this would
not affect the ability of browsers to successfully click on javascript

The above bug report was closed with the following suggestion: "to get
traction on this, I'd suggest looping in other browser vendors. The
WHATWG list might be appropriate. These sorts of changes work best
when all browser vendors move in unison."

Comments, please?

Luke Hutchison

More information about the whatwg mailing list