- From: Michal Zalewski <lcamtuf@coredump.cx>
- Date: Wed, 14 Dec 2011 14:14:05 -0800
- To: Brandon Sterne <bsterne@mozilla.com>
- Cc: public-web-security@w3.org
> [1] Mozilla pissed off a huge number of people by turning off javascript: URLs in the location bar. See the comment thread in https://bugzilla.mozilla.org/show_bug.cgi?id=656433 But the problem with that was mostly that you couldn't turn it back, right? There was an about:config setting, but the script would still execute in a null principal after the change; and the scripts executed via Ctrl-Shift-J or Ctrl-Shift-K have elevated privileges and don't behave the same way as normal javascript: URLs. It seems a bit weird to fix this on a per-site basis. Seems like a per-user approach with robust defaults is more sensible. /mz
Received on Wednesday, 14 December 2011 22:15:08 UTC