[gpvos]

I was mostly thinking about URLs in untrusted contexts, like maybe from an ad you see on the street, that you want to screen by hand against malicious intent; not so much about things like your banking app example, which should always have some kind of confirmation anyway.

[91iejrj20310]

It really shouldn't matter to the browser what URL you enter. Maybe it's not the page you're looking for. But opening a website itself should cause no harm.

Just compare with today's internet advertising. Legit websites are still full of somewhat malicious ads. And users click on it - of course, since that's what a website is for.

What I'm trying to make clear is that there is no such case where QR scanners, browsers or application may consider a safe context where the user implicitly consents with malicious actions by the QR/website/...

[Fnoord]

> It really shouldn't matter to the browser what URL you enter.

In a world where browsers are vulnerable to remote code execution, and a world where users do not run the latest version of a browser, and in a world where zero days exist in browers, it absolutely does matter.