[whatwg] Please disallow "javascript:" URLs in browser address bars

Maciej Stachowiak mjs at apple.com
Thu Jul 22 14:02:52 PDT 2010


On Jul 22, 2010, at 1:32 PM, Luke Hutchison wrote:

> There has been a spate of facebook viruses in the last few months that
> have exploited social engineering and the ability to paste arbitrary
> javascript into the addressbar of all major browsers to propagate
> themselves.  Typically these show up as Facebook fan pages with an
> eye-catching title that ask you to copy/paste a piece of javascript
> into the addressbar to show whatever the title is talking about.
> However doing so scrapes your facebook friends list, and the virus
> mails itself to all your fb friends.
> 
> Frequently these viruses will redirect to a legit-looking page after
> propagating themselves, so the user doesn't know they have been duped
> until one of their friends ask why they sent out the link.  In most
> cases nobody says anything because it looks like a legitimate shared
> link (and there's so much junk shared on facebook anyway that nobody
> can tell the difference!) -- as a result these viruses have been
> wildly successful, accumulating tens of thousands of "Like"s before
> anybody even reports the page as spam.
> 
> An example:
> 
> http://code.google.com/p/chromium/issues/detail?id=44796
> 
> There is no legitimate reason that non-developers would need to paste
> "javascript:" URLs into the addressbar, and the ability to do so
> should be disabled by default on all browsers.  (Of course this would
> not affect the ability of browsers to successfully click on javascript
> links.)
> 
> The above bug report was closed with the following suggestion: "to get
> traction on this, I'd suggest looping in other browser vendors. The
> WHATWG list might be appropriate. These sorts of changes work best
> when all browser vendors move in unison."
> 
> Comments, please?

Interesting idea, but out of scope for the spec. This is a UI issue, not a content issue. HTML5 has no authority over what happens when the user types in the address bar.

Here's some thoughts on the idea of making this change:

1) We probably can't disallow javascript: in bookmarks since many popular user features are distributed as bookmarklets. Does this still leave too much avenue for social engineering attack?

2) One possibility is to make javascript: URLs an optional developer-only feature in the UI. I don't know if we could get away with completely removing support in the address bar.

Regards,
Maciej




More information about the whatwg mailing list