I understand you point. Historically Javascript has been crippled since it does run on the client. It has largely been accepted by the adoption committees that javascript should not be allow anywhere near anything that involves direct user interaction with the browser itself. This includes closing windows. Preventing a user from leaving a page, etc. It effects the usability of a browser if the user doesn't have complete control over the navigation bar.
While you proposal does have validity. Don't hold your breath. Even if the adoption committees considered adopting this fringe case I believe the potential exploits that it opens would prevent any kind of acceptance. Even if it did it would take years to become practical on the web. On Sun, Dec 21, 2008 at 4:42 PM, Xeoncross <[email protected]> wrote: > > > > I think I have an answer: imagine if you have a "My bank" link in a site > you > > don't completely trust, you check in your statusbar if the URL is > trustful > > (i.e. address =http://www.mybank.com) and you think it is. But when you > > click, there's a JS that changes the URL and redirects you on a phishing > > site; you trusted the link, why can't you trust the site? You can imagine > > the rest... > > That is a change of site link - we are talking about only allowing a > URL change > on the SAME site. Like, > mybank.com to mybank.com/page1.html > > not > mybank.com to evilsite.com
