W3C home > Mailing lists > Public > whatwg@whatwg.org > July 2010

[whatwg] Please disallow "javascript:" URLs in browser address bars

From: Tab Atkins Jr. <jackalmage@gmail.com>
Date: Thu, 22 Jul 2010 13:48:38 -0700
Message-ID: <AANLkTilXLZWabvqrtRAELbJcHOyqeTgMlHOwefBcUj3F@mail.gmail.com>
On Thu, Jul 22, 2010 at 1:41 PM, Aryeh Gregor <Simetrical+w3c at gmail.com> wrote:
> On Thu, Jul 22, 2010 at 4:32 PM, Luke Hutchison <luke.hutch at mit.edu> wrote:
>> There is no legitimate reason that non-developers would need to paste
>> "javascript:" URLs into the addressbar, and the ability to do so
>> should be disabled by default on all browsers.
>
> Sure there is: bookmarklets, basically. ?javascript: URLs can do lots
> of fun and useful things. ?Also fun but not-so-useful things, like:
>
> javascript:document.body.style.MozTransform=document.body.style.WebkitTransform=document.body.style.OTransform="rotate(180deg)";void(0);
>
> (Credit to johnath for that one. ?Repeat with 0 instead of 180deg to
> undo.) ?You can do all sorts of interesting things to the page by
> pasting javascript: URLs into the URL bar. ?Of course, there are
> obviously security problems here too, but "no legitimate reason" is
> much too strong.

These days, though, all major browsers have javascript consoles which
you can bring up and paste that into.  As with Adam's suggestion of
allowing bookmarklets, this would push such attacks further into the
"too much effort to be effective" path, unlike the "copy+paste into
address bar" that javascript: urls allow right now.

~TJ
Received on Thursday, 22 July 2010 13:48:38 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:25 UTC