W3C home > Mailing lists > Public > whatwg@whatwg.org > July 2010

[whatwg] Please disallow "javascript:" URLs in browser address bars

From: Mike Shaver <mike.shaver@gmail.com>
Date: Thu, 22 Jul 2010 17:48:16 -0400
Message-ID: <AANLkTinsXHK9sOBE6UbTrc7tEsRUsVNGskee1apZCWml@mail.gmail.com>
On Thu, Jul 22, 2010 at 5:32 PM, Luke Hutchison <luke.hutch at mit.edu> wrote:
> On Thu, Jul 22, 2010 at 5:03 PM, Mike Shaver <mike.shaver at gmail.com> wrote:
>> What is the proposed change to which specification, exactly? ?URL-bar
>> behaviour, especially input permission, seem out of scope for the
>> specs that the WHATWG is working on.
>
> Is there a better venue to discuss this then? ?(It seems like even if
> UI issues are out of the scope of what WHATWG is working on, all the
> right people are signed up to this list...)

I'm not sure of a better venue off-hand.  I don't think that there's
anyone from Microsoft participating in this list, though, and I expect
that a lot of the users affected by the Facebook viruses are using
their browser.

>> Would a UA that asked for the
>> user's permission the first time a bookmarklet is used (like some
>> prompt the first time a given helper app or URL scheme is used) be
>> compliant?
>
> You mean like Windows User Account Control? ;)

No, I mean like the prompts for geolocation, popup windows, first-use
helper applications, first-use URL protocols, and similar.  But my
question is more about what you propose to disallow, and why you
choose "disable" as the requirement.

> It's not unreasonable to guess that the number of people
> inconvenienced by the easy exploitability of the current behavior
> numbers in the millions, given that Facebook has 500M users and these
> viruses continue to spread like wildfire. ?The number inconvenienced
> by having these URLs disabled by default (and re-enableable via a
> developer option the first time they hit this limitation)

That is only helpful against the specific case of direct paste in the
URL bar, though, and bookmarklets aren't just a developer-only
feature.  They're widely used by URL-shortening services, blogging and
micro-blogging services, and Amazon's universal wish list.

> Given the success of these exploits so far, it is also reasonable to
> suggest that the sophistication of attack will only increase with
> time.

Yes, which I think is why so many of us are suggesting that making the
social engineer say "drag this link to your bookmark bar, and use it
when you Really Like something!" is not going to be much of a
mitigation.

It's not that I don't believe it's a problem, to be clear; it's that I
don't think you're proposing a meaningful solution to it!

Mike
Received on Thursday, 22 July 2010 14:48:16 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:25 UTC