This bug has been reported at http://crbug/99664 Have a document with this code snippet. <a href="javascript:alert('foo');">Test link</a> Inspect the link, click the href in the inspector, inspector follows the href as if it were relative (eg. example.com/javascript:alert('foo');)
Created attachment 115170 [details] Patch
Comment on attachment 115170 [details] Patch Should we prevent running the script in the Inspector? It seems we should send the script to the inspected page to exec.
Created attachment 115372 [details] Patch
(In reply to comment #2) > (From update of attachment 115170 [details]) > Should we prevent running the script in the Inspector? It seems we should send the script to the inspected page to exec. Right, running the code in the Inspector would be a huge security hole. We decided not to linkify the "javascript:..." URLs altogether.
Comment on attachment 115372 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=115372&action=review > Source/WebCore/inspector/front-end/ResourceUtils.js:291 > + if (href.indexOf("javascript:") === 0) I'd rather do this check at the call site and return href here, otherwise looks good.
Committed r100588: <http://trac.webkit.org/changeset/100588>