Disallow javascript: URLs entered into location bar

General discussion about web technology.
Post Reply
User avatar
therube
Ambassador
Posts: 7461
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Disallow javascript: URLs entered into location bar

Post by therube » Tue May 17, 2011 1:32 am

(Had to truncate the line to fit in the subject. Makes it sound more ominous then it may be?)


Bug 656433 - Disallow javascript: and data: URLs entered into the location bar from inheriting the principal of the currently-loaded page

So now just what does that mean?
Kind of understand disallow javascript: & data: URLs.

But what does the "inheriting the principal of the currently-loaded page" part mean?

What can you do now (whatever this facebook exploit is aside) that is good & beneficial that you won't be able to do in the future?
Some of these code fragments that Giorgio & others have posted? Would it affect things like FlashGot's Build Gallery?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 6.1; rv:2.0.1) Gecko/20110511 Firefox/4.0.1 SeaMonkey/2.1

User avatar
therube
Ambassador
Posts: 7461
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Disallow javascript: URLs entered into location bar

Post by therube » Tue May 17, 2011 1:41 am

What can you do now (whatever this facebook exploit is aside) that is good & beneficial that you won't be able to do in the future?
Some of these code fragments that Giorgio & others have posted?


You might say that.
Like, viewtopic.php?p=27870#p27870 & viewtopic.php?p=27983#p27983



Image


Now that being the case, if you toggle (set to true) noscript.allowURLBarJS, what is the downside?
What is this Facebook exploit?
Are NoScript users affected? Only affected if the current page is Allowed?



Doesn't help me (understand) much more?

Bug 527530 - Social Engineering Issue with "javascript:" URLs

Social Engineering Issue With "javascript:" URLs


I know in days of old, there was a rapidshare hack, where you could use some javascript: to set their countdown counter to 0, bypassing the 60 second wait. That was good.


al's post, javascript: on about:blank not working (allowURLBarJS=true).



So Giorgio was being proactive on this matter, yes?



An understandable explanation, Facebook infested with cut and paste Javascript survey scams.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 6.1; rv:2.0.1) Gecko/20110511 Firefox/4.0.1 SeaMonkey/2.1

al_9x
Master Bug Buster
Posts: 931
Joined: Thu Mar 19, 2009 4:52 pm

Re: Disallow javascript: URLs entered into location bar

Post by al_9x » Tue May 17, 2011 3:15 am

The bottom line is that they are intending to kill javascript: URIs executed via the urlbar with not even a hidden pref to restore this functionality. Killing advanced features because "average" users don't need or can't handle them is becoming Mozilla MO.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.17) Gecko/20110420 Firefox/3.6.17

User avatar
Giorgio Maone
Site Admin
Posts: 8735
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Disallow javascript: URLs entered into location bar

Post by Giorgio Maone » Tue May 17, 2011 8:22 pm

therube wrote:What can you do now (whatever this facebook exploit is aside) that is good & beneficial that you won't be able to do in the future?

Using the URL bar as a development and debugging tool to interact with the current web page. Nothing most users do daily.
therube wrote:Some of these code fragments that Giorgio & others have posted? Would it affect things like FlashGot's Build Gallery?

No to both.
Mozilla/5.0 (Windows NT 5.2; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1

Post Reply