W3C home > Mailing lists > Public > whatwg@whatwg.org > July 2010

[whatwg] Please disallow "javascript:" URLs in browser address bars

From: Luke Hutchison <luke.hutch@mit.edu>
Date: Thu, 22 Jul 2010 16:46:43 -0400
Message-ID: <AANLkTimVwefvuDwT1Yo0b4bEsdB8y=1gcDPeWMGFmijM@mail.gmail.com>
A bookmark is more like a link than a manually-entered URL, and as mentioned
in the original email, the browser will have to of course keep working with
javascript: links.

99.9999% of people have never manually entered a javascript: URL into a
browser addressbar in their life -- unless duped by a social engineering
virus.


On Thu, Jul 22, 2010 at 4:41 PM, Aryeh Gregor
<Simetrical+w3c at gmail.com<Simetrical%2Bw3c at gmail.com>
> wrote:

> On Thu, Jul 22, 2010 at 4:32 PM, Luke Hutchison <luke.hutch at mit.edu>
> wrote:
> > There is no legitimate reason that non-developers would need to paste
> > "javascript:" URLs into the addressbar, and the ability to do so
> > should be disabled by default on all browsers.
>
> Sure there is: bookmarklets, basically.  javascript: URLs can do lots
> of fun and useful things.  Also fun but not-so-useful things, like:
>
>
> javascript:document.body.style.MozTransform=document.body.style.WebkitTransform=document.body.style.OTransform="rotate(180deg)";void(0);
>
> (Credit to johnath for that one.  Repeat with 0 instead of 180deg to
> undo.)  You can do all sorts of interesting things to the page by
> pasting javascript: URLs into the URL bar.  Of course, there are
> obviously security problems here too, but "no legitimate reason" is
> much too strong.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20100722/da1bad8d/attachment.htm>
Received on Thursday, 22 July 2010 13:46:43 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:25 UTC