W3C home > Mailing lists > Public > whatwg@whatwg.org > July 2010

[whatwg] Please disallow "javascript:" URLs in browser address bars

From: Jonas Sicking <jonas@sicking.cc>
Date: Thu, 22 Jul 2010 14:42:25 -0700
Message-ID: <AANLkTinqyh_AocoGDyn8T43nezZSJaau-sQmD7hLn09V@mail.gmail.com>
On Thu, Jul 22, 2010 at 1:46 PM, Adam Barth <w3c at adambarth.com> wrote:
> On Thu, Jul 22, 2010 at 1:41 PM, Aryeh Gregor <Simetrical+w3c at gmail.com> wrote:
>> On Thu, Jul 22, 2010 at 4:32 PM, Luke Hutchison <luke.hutch at mit.edu> wrote:
>>> There is no legitimate reason that non-developers would need to paste
>>> "javascript:" URLs into the addressbar, and the ability to do so
>>> should be disabled by default on all browsers.
>>
>> Sure there is: bookmarklets, basically. ?javascript: URLs can do lots
>> of fun and useful things. ?Also fun but not-so-useful things, like:
>> javascript:document.body.style.MozTransform=document.body.style.WebkitTransform=document.body.style.OTransform="rotate(180deg)";void(0);
>>
>> (Credit to johnath for that one. ?Repeat with 0 instead of 180deg to
>> undo.) ?You can do all sorts of interesting things to the page by
>> pasting javascript: URLs into the URL bar. ?Of course, there are
>> obviously security problems here too, but "no legitimate reason" is
>> much too strong.
>
> We could allow bookmarklets without allowing direct pasting into the
> URL bar. ?That would make the social engineering more complex at
> least.

That was my initial thought too, but I'm not sure that would help very
much since that would just change the social engineering attack from
"copy this text and paste it in the url bar" to "create a bookmark
with this url and then go there" or "bookmark this url, then visit
facebook and load it".

/ Jonas
Received on Thursday, 22 July 2010 14:42:25 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:25 UTC