[whatwg] Please disallow "javascript:" URLs in browser address bars

Boris Zbarsky bzbarsky at MIT.EDU
Thu Jul 22 14:39:47 PDT 2010

On 7/22/10 5:32 PM, Luke Hutchison wrote:
>> Well, is it the simplest one, though?  If closing it will do nothing for
>> security but just inconvenience people, what's the point?  I'd really rather
>> not have us doing security theater just to look like we're doing something.
> It's not unreasonable to guess that the number of people
> inconvenienced by the easy exploitability of the current behavior
> numbers in the millions, given that Facebook has 500M users and these
> viruses continue to spread like wildfire.  The number inconvenienced
> by having these URLs disabled by default (and re-enableable via a
> developer option the first time they hit this limitation) would be
> several orders of magnitude smaller than that number.
> Given the success of these exploits so far, it is also reasonable to
> suggest that the sophistication of attack will only increase with
> time.

I'll note that you didn't actually answer my question, which was whether 
changing the behavior here would actually have tangible security 
benefits.  I can see the security benefits of disallowing all 
cross-origin application of javascript: (if you don't know where it came 
from, don't apply it).  But it doesn't sound like you're suggesting 
that... and what you're suggesting seems to only close one of at least 
two equally easy to target social-engineering attacks.  In other words, 
its usefulness as a security measure relies on its not being implemented 
yet; the moment it's implemented the virus writers will switch to the 
other attack, no?

Now if we really think the other attack is harder to carry out, that's a 
different kettle of fish, as I said. But I see no evidence of that....


More information about the whatwg mailing list