[whatwg] Please disallow "javascript:" URLs in browser address bars

Mike Shaver mike.shaver at gmail.com
Thu Jul 22 14:03:05 PDT 2010


On Thu, Jul 22, 2010 at 4:48 PM, Tab Atkins Jr. <jackalmage at gmail.com> wrote:
> These days, though, all major browsers have javascript consoles which
> you can bring up and paste that into.

That doesn't typically apply to content tabs or windows, though.

I have a couple of questions:

What is the proposed change to which specification, exactly?  URL-bar
behaviour, especially input permission, seem out of scope for the
specs that the WHATWG is working on.  Would a UA that asked for the
user's permission the first time a bookmarklet is used (like some
prompt the first time a given helper app or URL scheme is used) be
compliant?

What should the URL bar say when the user clicks a javascript: link
which produces content?  <a href="javascript:5;">five!</a>

Mike



More information about the whatwg mailing list