Hmm. Cross-protocol exploits were well-known in IE in September 2002.
I think there's definitely an argument here for not allowing any protocol i) you don't fully understand or control the consequences of using, or ii) the user hasn't specifically enabled.
(A base set of http:, https:, ftp:, mailto:, news:, file: and javascript: ought to be enough for 99% of users.)
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png)
timeasmymeasure
Re: mayeb this'll make some people feel better *grin*
Date: 2004-07-11 06:17 am (UTC)I think there's definitely an argument here for not allowing any protocol i) you don't fully understand or control the consequences of using, or ii) the user hasn't specifically enabled.
(A base set of http:, https:, ftp:, mailto:, news:, file: and javascript: ought to be enough for 99% of users.)