W3C home > Mailing lists > Public > whatwg@whatwg.org > August 2010

[whatwg] Please disallow "javascript:" URLs in browser address bars

From: Charles Iliya Krempeaux <supercanadian@gmail.com>
Date: Wed, 11 Aug 2010 19:14:05 -0700
Message-ID: <AANLkTi=cgveJhShjxV3bWJbiS7L2q45RzMmkO7N9Mt2c@mail.gmail.com>
On Thu, Jul 22, 2010 at 1:46 PM, Adam Barth <w3c at adambarth.com> wrote:

> On Thu, Jul 22, 2010 at 1:41 PM, Aryeh Gregor <Simetrical+w3c at gmail.com<Simetrical%2Bw3c at gmail.com>>
> wrote:
> > On Thu, Jul 22, 2010 at 4:32 PM, Luke Hutchison <luke.hutch at mit.edu>
> wrote:
> >> There is no legitimate reason that non-developers would need to paste
> >> "javascript:" URLs into the addressbar, and the ability to do so
> >> should be disabled by default on all browsers.
> >
> > Sure there is: bookmarklets, basically.  javascript: URLs can do lots
> > of fun and useful things.  Also fun but not-so-useful things, like:
> >
> javascript:document.body.style.MozTransform=document.body.style.WebkitTransform=document.body.style.OTransform="rotate(180deg)";void(0);
> >
> > (Credit to johnath for that one.  Repeat with 0 instead of 180deg to
> > undo.)  You can do all sorts of interesting things to the page by
> > pasting javascript: URLs into the URL bar.  Of course, there are
> > obviously security problems here too, but "no legitimate reason" is
> > much too strong.
>
> We could allow bookmarklets without allowing direct pasting into the
> URL bar.  That would make the social engineering more complex at
> least.
>
> Adam
>

Would a pop-up warning be sufficient, rather than disallowing it?

For example, if I write the following URL into Firefox...

http://charles at 49research.com/

... Firefox will pop-up a modal dialog box with the following message...

> You are about to log in to the site "49research.com" with the username
> "charles", but the website does not require authentication.  This may be an
> attempt to trick you.
>
> Is "49research.com" the site you want to visit?
>
>                       [yes]     [no]
>

Perhaps a modal dialog box could pop-up for copy-and-pasted JavaScript URLs
to (after the user presses enter).


--
Charles Iliya Krempeaux, B.Sc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20100811/4f0e806d/attachment.htm>
Received on Wednesday, 11 August 2010 19:14:05 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:26 UTC