InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

Disallow javascript: URLs entered into location bar

https://forums.informaction.com/viewtopic.php?t=6488

Page 1 of 1

Disallow javascript: URLs entered into location bar

Posted: Tue May 17, 2011 1:32 am
by therube
(Had to truncate the line to fit in the subject. Makes it sound more ominous then it may be?)


Bug 656433 - Disallow javascript: and data: URLs entered into the location bar from inheriting the principal of the currently-loaded page

So now just what does that mean?
Kind of understand disallow javascript: & data: URLs.

But what does the "inheriting the principal of the currently-loaded page" part mean?

What can you do now (whatever this facebook exploit is aside) that is good & beneficial that you won't be able to do in the future?
Some of these code fragments that Giorgio & others have posted? Would it affect things like FlashGot's Build Gallery?

Re: Disallow javascript: URLs entered into location bar

Posted: Tue May 17, 2011 1:41 am
by therube
What can you do now (whatever this facebook exploit is aside) that is good & beneficial that you won't be able to do in the future?
Some of these code fragments that Giorgio & others have posted?
You might say that.
Like, http://forums.informaction.com/viewtopi ... 870#p27870 & http://forums.informaction.com/viewtopi ... 983#p27983



Image


Now that being the case, if you toggle (set to true) noscript.allowURLBarJS, what is the downside?
What is this Facebook exploit?
Are NoScript users affected? Only affected if the current page is Allowed?



Doesn't help me (understand) much more?

Bug 527530 - Social Engineering Issue with "javascript:" URLs

Social Engineering Issue With "javascript:" URLs


I know in days of old, there was a rapidshare hack, where you could use some javascript: to set their countdown counter to 0, bypassing the 60 second wait. That was good.


al's post, javascript: on about:blank not working (allowURLBarJS=true).



So Giorgio was being proactive on this matter, yes?



An understandable explanation, Facebook infested with cut and paste Javascript survey scams.

Re: Disallow javascript: URLs entered into location bar

Posted: Tue May 17, 2011 3:15 am
by al_9x
The bottom line is that they are intending to kill javascript: URIs executed via the urlbar with not even a hidden pref to restore this functionality. Killing advanced features because "average" users don't need or can't handle them is becoming Mozilla MO.

Re: Disallow javascript: URLs entered into location bar

Posted: Tue May 17, 2011 8:22 pm
by Giorgio Maone
therube wrote:What can you do now (whatever this facebook exploit is aside) that is good & beneficial that you won't be able to do in the future?
Using the URL bar as a development and debugging tool to interact with the current web page. Nothing most users do daily.
therube wrote: Some of these code fragments that Giorgio & others have posted? Would it affect things like FlashGot's Build Gallery?
No to both.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited