5

Ran into something rather odd today, I'm unable to paste a string from my clipboard starting with javascript: to the chrome address bar - the javascript: portion is stripped.

What is going on here? Is there a reason chrome is automatically stripping it out? The context is I wanted to copy-paste some javascript to run. (http://nategood.com/quickly-add-and-edit-cookies-in-chrome)

I can paste strings containing javascript:, and I can type it out manually, but I cant paste if the string starts with javascript:. This only happens with the address bar

Examples of what happens when I try copy strings (both Ctrl+c/Ctrl+v and middle-mouse)

javascript: -  (nothing is pasted)
javascript:test - test
javascript://test - //test
test javascript: - test javascript:

Output from about://version

Google Chrome   47.0.2526.80 (Official Build) (64-bit)
Revision    9fd42dd40d33146ff9afd92f51714f0426c1247c-refs/branch-heads/2526@{#505}
OS  Linux 
Blink   537.36 (@9fd42dd40d33146ff9afd92f51714f0426c1247c)
JavaScript  V8 4.7.80.25
Flash   20.0.0.267
User Agent  Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.80 Safari/537.36
Command Line    /usr/bin/google-chrome-stable --flag-switches-begin --enable-tab-audio-muting --flag-switches-end
Paradise
  • 1,408
  • 1
  • 14
  • 25
  • Yes, it is a security feature. You can ONLY use the javascript protocol in bookmarklets or from the console or in links – mplungjan Jan 11 '16 at 10:19
  • @mplungjan: And links, of course. – T.J. Crowder Jan 11 '16 at 10:20
  • https://code.google.com/p/chromium/issues/detail?id=242616 – mplungjan Jan 11 '16 at 10:22
  • http://stackoverflow.com/a/34719074/4928642 – Qwertiy Jan 11 '16 at 10:25
  • How does it raise security though, anything that could paste something against your will could probably also just type it. And if someone willfully pastes in code without knowing what it does they deserve anything coming to them, don't they? Besides, they probably would still type the javascript: in front of it when they realize it's gone. – Tharkon Dec 09 '22 at 18:10

1 Answers1

4

"So with the most recent facebook phishing scandal, google chrome(and i assume other browsers) disabled the ability to paste javascript directly into your URL bar. Well it still lets you, but it strips the "javascript: " part. "

From here. That's literally the second google hit.

Community
  • 1
  • 1
Johannes Jander
  • 4,974
  • 2
  • 31
  • 46