[whatwg] Please disallow "javascript:" URLs in browser address bars

Jonas Sicking jonas at sicking.cc
Thu Jul 22 14:42:25 PDT 2010


On Thu, Jul 22, 2010 at 1:46 PM, Adam Barth <w3c at adambarth.com> wrote:
> On Thu, Jul 22, 2010 at 1:41 PM, Aryeh Gregor <Simetrical+w3c at gmail.com> wrote:
>> On Thu, Jul 22, 2010 at 4:32 PM, Luke Hutchison <luke.hutch at mit.edu> wrote:
>>> There is no legitimate reason that non-developers would need to paste
>>> "javascript:" URLs into the addressbar, and the ability to do so
>>> should be disabled by default on all browsers.
>>
>> Sure there is: bookmarklets, basically.  javascript: URLs can do lots
>> of fun and useful things.  Also fun but not-so-useful things, like:
>> javascript:document.body.style.MozTransform=document.body.style.WebkitTransform=document.body.style.OTransform="rotate(180deg)";void(0);
>>
>> (Credit to johnath for that one.  Repeat with 0 instead of 180deg to
>> undo.)  You can do all sorts of interesting things to the page by
>> pasting javascript: URLs into the URL bar.  Of course, there are
>> obviously security problems here too, but "no legitimate reason" is
>> much too strong.
>
> We could allow bookmarklets without allowing direct pasting into the
> URL bar.  That would make the social engineering more complex at
> least.

That was my initial thought too, but I'm not sure that would help very
much since that would just change the social engineering attack from
"copy this text and paste it in the url bar" to "create a bookmark
with this url and then go there" or "bookmark this url, then visit
facebook and load it".

/ Jonas



More information about the whatwg mailing list