In Firefox 6, you can no longer put javascript in the address bar because of security risks such as recent scripts on facebook. I understand it can simulate just about anything you can click, like removing friends and spamming wall posts, but what’s the absolute worst? It can only manipulate the page you’re on because of cross-domain iframe javascript being disabled, unless it sends an XMLHttpRequest based on cookie data.
What exactly were the scripts on facebook doing that made it such a big problem? What’s the worst that can be done?
The Javascript can do anything you can do.
On Facebook, for example, it can manipulate friends and posts.
On World of Warcraft, it can give all of your money and items to whoever created the script.
On your bank (which is a little less likely since banks won’t have posts asking people to run
javascript:URLs), it can empty your bank account.On any site, it could also create a fake login form within the site that sends your credentials to a malicious server.
A very clever malicious script could do that almost indetectably (by handling link clicks and using HTML5 address bar APIs)