On Thu, Jul 22, 2010 at 1:41 PM, Aryeh Gregor <[email protected]> wrote: > On Thu, Jul 22, 2010 at 4:32 PM, Luke Hutchison <[email protected]> wrote: >> There is no legitimate reason that non-developers would need to paste >> "javascript:" URLs into the addressbar, and the ability to do so >> should be disabled by default on all browsers. > > Sure there is: bookmarklets, basically. javascript: URLs can do lots > of fun and useful things. Also fun but not-so-useful things, like: > javascript:document.body.style.MozTransform=document.body.style.WebkitTransform=document.body.style.OTransform="rotate(180deg)";void(0); > > (Credit to johnath for that one. Repeat with 0 instead of 180deg to > undo.) You can do all sorts of interesting things to the page by > pasting javascript: URLs into the URL bar. Of course, there are > obviously security problems here too, but "no legitimate reason" is > much too strong.
We could allow bookmarklets without allowing direct pasting into the URL bar. That would make the social engineering more complex at least. Adam
