On Tue, Apr 19, 2011 at 9:51 AM, Wilhelm Joys Andersen <[email protected]> wrote: > . . . > After running the lines of script above, typing any of the > following URLs will lead the user to evilsite.tld: > > mail.google.com:80/mail/ > 192.168.1.1:80 > . . . > To save ourselves (and our users) from possible future headaches, > we have decided to disallow the use of dots in the protocol argument > of registerProtocolHandler().
It was pointed out on IRC <http://krijnhoetmer.nl/irc-logs/whatwg/20110415#l-734> that it would make sense to also ban the string "localhost", as the only common domain name that contains no dots.
