W3C home > Mailing lists > Public > whatwg@whatwg.org > July 2010

[whatwg] Please disallow "javascript:" URLs in browser address bars

From: Mike Shaver <mike.shaver@gmail.com>
Date: Thu, 22 Jul 2010 17:03:05 -0400
Message-ID: <AANLkTinhokCiqyK6AU_ZaFZDtgrM1ikY649siNyu_WKz@mail.gmail.com>
On Thu, Jul 22, 2010 at 4:48 PM, Tab Atkins Jr. <jackalmage at gmail.com> wrote:
> These days, though, all major browsers have javascript consoles which
> you can bring up and paste that into.

That doesn't typically apply to content tabs or windows, though.

I have a couple of questions:

What is the proposed change to which specification, exactly?  URL-bar
behaviour, especially input permission, seem out of scope for the
specs that the WHATWG is working on.  Would a UA that asked for the
user's permission the first time a bookmarklet is used (like some
prompt the first time a given helper app or URL scheme is used) be
compliant?

What should the URL bar say when the user clicks a javascript: link
which produces content?  <a href="javascript:5;">five!</a>

Mike
Received on Thursday, 22 July 2010 14:03:05 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:25 UTC