[whatwg] Please disallow "javascript:" URLs in browser address bars from Daniel Cater on 2010-07-23 (public-whatwg-archive@w3.org from July 2010)

From: Daniel Cater <djcater@gmail.com>
Date: Fri, 23 Jul 2010 03:35:38 +0100
Message-ID: <AANLkTilM9xDARihCU7lO-neTE-7LNSHuaAREUDKRR2LT@mail.gmail.com>

Note that for Mozilla this is basically bug 305692:
https://bugzilla.mozilla.org/show_bug.cgi?id=305692 I mentioned
Facebook in comment 9.

Daniel Cater.

On 22 July 2010 21:32, Luke Hutchison <luke.hutch at mit.edu> wrote:
> There has been a?spate of facebook viruses in the last few months that
> have exploited social engineering and the ability to paste arbitrary
> javascript into the addressbar of all major browsers to propagate
> themselves. ?Typically these show up as Facebook fan pages with an
> eye-catching title that ask you to copy/paste a piece of javascript
> into the addressbar to show whatever the title is talking about.
> However doing so scrapes your facebook friends list, and the virus
> mails itself to all your fb friends.
>
> Frequently these viruses will redirect to a legit-looking page after
> propagating themselves, so the user doesn't know they have been duped
> until one of their friends ask why they sent out the link. ?In most
> cases nobody says anything because it looks like a legitimate shared
> link (and there's so much junk shared on facebook anyway that nobody
> can tell the difference!) -- as a result these viruses have been
> wildly successful, accumulating tens of thousands of "Like"s before
> anybody even reports the page as spam.
>
> An example:
>
> http://code.google.com/p/chromium/issues/detail?id=44796
>
> There is no legitimate reason that non-developers would need to paste
> "javascript:" URLs into the addressbar, and the ability to do so
> should be disabled by default on all browsers. ?(Of course this would
> not affect the ability of browsers to successfully click on javascript
> links.)
>
> The above bug report was closed with the following suggestion: "to get
> traction on this, I'd suggest looping in other browser vendors. The
> WHATWG list might be appropriate. These sorts of changes work best
> when all browser vendors move in unison."
>
> Comments, please?
>
> --
> Luke Hutchison
>

Received on Thursday, 22 July 2010 19:35:38 UTC