- From: Adam Barth <w3c@adambarth.com>
- Date: Thu, 22 Jul 2010 13:46:00 -0700
On Thu, Jul 22, 2010 at 1:41 PM, Aryeh Gregor <Simetrical+w3c at gmail.com> wrote: > On Thu, Jul 22, 2010 at 4:32 PM, Luke Hutchison <luke.hutch at mit.edu> wrote: >> There is no legitimate reason that non-developers would need to paste >> "javascript:" URLs into the addressbar, and the ability to do so >> should be disabled by default on all browsers. > > Sure there is: bookmarklets, basically. ?javascript: URLs can do lots > of fun and useful things. ?Also fun but not-so-useful things, like: > javascript:document.body.style.MozTransform=document.body.style.WebkitTransform=document.body.style.OTransform="rotate(180deg)";void(0); > > (Credit to johnath for that one. ?Repeat with 0 instead of 180deg to > undo.) ?You can do all sorts of interesting things to the page by > pasting javascript: URLs into the URL bar. ?Of course, there are > obviously security problems here too, but "no legitimate reason" is > much too strong. We could allow bookmarklets without allowing direct pasting into the URL bar. That would make the social engineering more complex at least. Adam
Received on Thursday, 22 July 2010 13:46:00 UTC