[whatwg] Please disallow "javascript:" URLs in browser address bars

Boris Zbarsky bzbarsky at MIT.EDU
Thu Jul 22 13:51:31 PDT 2010


On 7/22/10 4:46 PM, Luke Hutchison wrote:
> A bookmark is more like a link than a manually-entered URL

What would prevent the viruses in question from saying "drag this link 
to your bookmarks bar and then click the bookmark"?

Note that this is something that sites actually do... not necessarily 
commonly, but often enough.  http://www.google.com/reader/settings the 
"Goodies" tab is an example.

Or http://lab.arc90.com/experiments/readability/ for that matter.

> 99.9999% of people have never manually entered a javascript: URL into a
> browser addressbar in their life -- unless duped by a social engineering
> virus.

I agree, but the duping for bookmarks seems just as simple....

-Boris



More information about the whatwg mailing list