W3C home > Mailing lists > Public > whatwg@whatwg.org > July 2010

[whatwg] Please disallow "javascript:" URLs in browser address bars

From: Paul Ellis <paul@ellisfoundation.com>
Date: Thu, 22 Jul 2010 16:17:34 -0700
Message-ID: <AANLkTinF_t2W5ni2GM7zcYggtOsA8ESB_5CNIQvZ_Wa3@mail.gmail.com>
On Thu, Jul 22, 2010 at 2:48 PM, Mike Shaver <mike.shaver at gmail.com> wrote:

> On Thu, Jul 22, 2010 at 5:32 PM, Luke Hutchison <luke.hutch at mit.edu>
> wrote:
> > On Thu, Jul 22, 2010 at 5:03 PM, Mike Shaver <mike.shaver at gmail.com>
> wrote:
> >> Would a UA that asked for the
> >> user's permission the first time a bookmarklet is used (like some
> >> prompt the first time a given helper app or URL scheme is used) be
> >> compliant?
> >
> > You mean like Windows User Account Control? ;)
>
> No, I mean like the prompts for geolocation, popup windows, first-use
> helper applications, first-use URL protocols, and similar.  But my
> question is more about what you propose to disallow, and why you
> choose "disable" as the requirement.
>

This seems to be the wrong venue for this discussion but it is worth noting
that IE8 doesn't allow drag-and-drop of javascript: links to the favorites
bar. If you do right-click->Add to Favorites for a javascript: link it
prompts "You are adding a favorite that might not be safe. Do you want to
continue?" So clearly they think there is some security risk there. It
doesn't impede a user from copying the link though and pasting it in the URL
bar though.

Even though I regularly type JavaScript in the URL bar I think it would be a
smart change to make that disabled by default. There are already other
things I go into about:config for. :)

Paul Ellis
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20100722/4026bbdd/attachment.htm>
Received on Thursday, 22 July 2010 16:17:34 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:25 UTC