[whatwg] Please disallow "javascript:" URLs in browser address bars

Luke Hutchison luke.hutch at mit.edu
Thu Jul 22 13:46:43 PDT 2010

A bookmark is more like a link than a manually-entered URL, and as mentioned
in the original email, the browser will have to of course keep working with
javascript: links.

99.9999% of people have never manually entered a javascript: URL into a
browser addressbar in their life -- unless duped by a social engineering

On Thu, Jul 22, 2010 at 4:41 PM, Aryeh Gregor
<Simetrical+w3c at gmail.com<Simetrical%2Bw3c at gmail.com>
> wrote:

> On Thu, Jul 22, 2010 at 4:32 PM, Luke Hutchison <luke.hutch at mit.edu>
> wrote:
> > There is no legitimate reason that non-developers would need to paste
> > "javascript:" URLs into the addressbar, and the ability to do so
> > should be disabled by default on all browsers.
> Sure there is: bookmarklets, basically.  javascript: URLs can do lots
> of fun and useful things.  Also fun but not-so-useful things, like:
> javascript:document.body.style.MozTransform=document.body.style.WebkitTransform=document.body.style.OTransform="rotate(180deg)";void(0);
> (Credit to johnath for that one.  Repeat with 0 instead of 180deg to
> undo.)  You can do all sorts of interesting things to the page by
> pasting javascript: URLs into the URL bar.  Of course, there are
> obviously security problems here too, but "no legitimate reason" is
> much too strong.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20100722/da1bad8d/attachment-0002.htm>

More information about the whatwg mailing list