[whatwg] Please disallow "javascript:" URLs in browser address bars from Brett Zamir on 2010-07-23 (public-whatwg-archive@w3.org from July 2010)

From: Brett Zamir <brettz9@yahoo.com>
Date: Fri, 23 Jul 2010 12:45:49 +0800
Message-ID: <4C491E7D.6070009@yahoo.com>

  On 7/23/2010 6:35 AM, Luke Hutchison wrote:
> On Thu, Jul 22, 2010 at 5:39 PM, Boris Zbarsky<bzbarsky at mit.edu>  wrote:
>
>>   I can see the security benefits of disallowing all cross-origin application
>> of javascript: (if you don't know where it came from, don't apply it).
> Yes, that is actually a really good way to put things -- javascript
> typed into the URL bar is cross-origin.  (And dragging bookmarklets to
> the address bar or bookmarks bar is also cross-origin, that's the
> reason that a security check should be applied and/or user warning
> given.)
>
> Facebook already disallows the execution of arbitrary js code on a fan
> page, of course, which is why these viruses require you to manually
> copy/paste into the addressbar.

In whatever security mechanism is worked out, besides preserving the 
ability for people to be able to use the URL bar for potentially 
privileged bookmarklets if they wish (even if they must give permission 
after receiving a specific warning), I would actually like to see the 
privileges available to bookmarklets expanded, upon explicit warnings 
and user permission. For example, it would be of enormous use to be able 
to link someone to a specific site, while manipulating the view of that 
page such as to mash over the data with tooltips mash down some data 
from it to a smaller set, mash up the data with additional notes/sources 
(whether from other sites or text found on the source page), or mash 
under the data with semantic markup changes or highlighting of specific 
text.

I know this is absolutely dangerous, but if people can install 
extensions which can wipe out hard-drives with a two clicks and a 
restart (and thank God that such power exists in browsers like Firefox 
so people can make extensions which do access the file system for 
positive uses), there should be a way, such as with dead-serious 
warnings (and I'll concede disallowing https), that people can mash an 
existing source and still work in its scope (just as I think there 
should be the ability to run cross-domain Ajax after getting user 
permission). Greasemonkey is great, but it would be nice for there to be 
a standard, especially for uses as referring people immediately to a 
specific subset of content on another page.

Brett

Received on Thursday, 22 July 2010 21:45:49 UTC