[whatwg] Please disallow "javascript:" URLs in browser address bars

Paul Ellis paul at ellisfoundation.com
Thu Jul 22 16:17:34 PDT 2010

On Thu, Jul 22, 2010 at 2:48 PM, Mike Shaver <mike.shaver at gmail.com> wrote:

> On Thu, Jul 22, 2010 at 5:32 PM, Luke Hutchison <luke.hutch at mit.edu>
> wrote:
> > On Thu, Jul 22, 2010 at 5:03 PM, Mike Shaver <mike.shaver at gmail.com>
> wrote:
> >> Would a UA that asked for the
> >> user's permission the first time a bookmarklet is used (like some
> >> prompt the first time a given helper app or URL scheme is used) be
> >> compliant?
> >
> > You mean like Windows User Account Control? ;)
> No, I mean like the prompts for geolocation, popup windows, first-use
> helper applications, first-use URL protocols, and similar.  But my
> question is more about what you propose to disallow, and why you
> choose "disable" as the requirement.

This seems to be the wrong venue for this discussion but it is worth noting
that IE8 doesn't allow drag-and-drop of javascript: links to the favorites
bar. If you do right-click->Add to Favorites for a javascript: link it
prompts "You are adding a favorite that might not be safe. Do you want to
continue?" So clearly they think there is some security risk there. It
doesn't impede a user from copying the link though and pasting it in the URL
bar though.

Even though I regularly type JavaScript in the URL bar I think it would be a
smart change to make that disabled by default. There are already other
things I go into about:config for. :)

Paul Ellis
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20100722/4026bbdd/attachment-0002.htm>

More information about the whatwg mailing list