W3C home > Mailing lists > Public > whatwg@whatwg.org > July 2010

[whatwg] Please disallow "javascript:" URLs in browser address bars

From: Luke Hutchison <luke.hutch@mit.edu>
Date: Thu, 22 Jul 2010 17:32:29 -0400
Message-ID: <AANLkTi=mSso6CZRNGzD743FfNqQEV2w6t-wdn-ML-Nxn@mail.gmail.com>
On Thu, Jul 22, 2010 at 5:03 PM, Mike Shaver <mike.shaver at gmail.com> wrote:
> What is the proposed change to which specification, exactly? ?URL-bar
> behaviour, especially input permission, seem out of scope for the
> specs that the WHATWG is working on.

Is there a better venue to discuss this then?  (It seems like even if
UI issues are out of the scope of what WHATWG is working on, all the
right people are signed up to this list...)

> Would a UA that asked for the
> user's permission the first time a bookmarklet is used (like some
> prompt the first time a given helper app or URL scheme is used) be
> compliant?

You mean like Windows User Account Control? ;)

On Thu, Jul 22, 2010 at 5:02 PM, Maciej Stachowiak <mjs at apple.com> wrote:
> 2) One possibility is to make javascript: URLs an optional
> developer-only feature in the UI. I don't know if we could get
> away with completely removing support in the address bar.

That would be the ideal solution.

On Thu, Jul 22, 2010 at 5:19 PM, Boris Zbarsky <bzbarsky at mit.edu> wrote:
>> Just because there are two vectors for exploitation doesn't mean you
>> shouldn't close the simplest one to exploit :-)
>
> Well, is it the simplest one, though? ?If closing it will do nothing for
> security but just inconvenience people, what's the point? ?I'd really rather
> not have us doing security theater just to look like we're doing something.

It's not unreasonable to guess that the number of people
inconvenienced by the easy exploitability of the current behavior
numbers in the millions, given that Facebook has 500M users and these
viruses continue to spread like wildfire.  The number inconvenienced
by having these URLs disabled by default (and re-enableable via a
developer option the first time they hit this limitation) would be
several orders of magnitude smaller than that number.

Given the success of these exploits so far, it is also reasonable to
suggest that the sophistication of attack will only increase with
time.
Received on Thursday, 22 July 2010 14:32:29 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:25 UTC