w3c at adambarth.com
Thu Jul 22 13:36:25 PDT 2010
but I might not be a typical user. :)
This sounds like a great opportunity for a CSP directive.
On Thu, Jul 22, 2010 at 1:32 PM, Luke Hutchison <luke.hutch at mit.edu> wrote:
> There has been a spate of facebook viruses in the last few months that
> have exploited social engineering and the ability to paste arbitrary
> themselves. Typically these show up as Facebook fan pages with an
> into the addressbar to show whatever the title is talking about.
> However doing so scrapes your facebook friends list, and the virus
> mails itself to all your fb friends.
> Frequently these viruses will redirect to a legit-looking page after
> propagating themselves, so the user doesn't know they have been duped
> until one of their friends ask why they sent out the link. In most
> cases nobody says anything because it looks like a legitimate shared
> link (and there's so much junk shared on facebook anyway that nobody
> can tell the difference!) -- as a result these viruses have been
> wildly successful, accumulating tens of thousands of "Like"s before
> anybody even reports the page as spam.
> An example:
> There is no legitimate reason that non-developers would need to paste
> should be disabled by default on all browsers. (Of course this would
> The above bug report was closed with the following suggestion: "to get
> traction on this, I'd suggest looping in other browser vendors. The
> WHATWG list might be appropriate. These sorts of changes work best
> when all browser vendors move in unison."
> Comments, please?
> Luke Hutchison
More information about the whatwg