- From: Aryeh Gregor <Simetrical+w3c@gmail.com>
- Date: Thu, 21 Apr 2011 15:16:03 -0400
On Tue, Apr 19, 2011 at 9:51 AM, Wilhelm Joys Andersen <wilhelmja at opera.com> wrote: > . . . > After running the lines of script above, typing any of the > following URLs will lead the user to evilsite.tld: > > ? mail.google.com:80/mail/ > ? 192.168.1.1:80 > . . . > To save ourselves (and our users) from possible future headaches, > we have decided to disallow the use of dots in the protocol argument > of registerProtocolHandler(). It was pointed out on IRC <http://krijnhoetmer.nl/irc-logs/whatwg/20110415#l-734> that it would make sense to also ban the string "localhost", as the only common domain name that contains no dots.
Received on Thursday, 21 April 2011 12:16:03 UTC