Disallow using Javascript on URL address bar

Question

I have written many javascript functions for my website and recently I found out that those functions can be called simply by writing javascript:FunctionName(); on URL bar. Calling functions like this can be vulnerable for my website so is there any ways to prevent this? Any ways to stop the use of Javascript on address bar?

Any subtle ways can also be helpful like any ways to detect from where the call to the function was made and if it was not from the address bar then the function should run, otherwise it won't run?

I tried using Javascript on address bar on Facebook but it didn't work. So there must be a way to stop this..

Answer 1

I agree with the other commenters that detecting "where the call to the function was made and if it was not from the address bar then the function should run" is a bad way to approach client-side security, insofar as there is such a thing.

That said, function scope, closures, and how this relates to the URL bar is an interesting topic. Here's some more context on global variables and scope. The short version is that if you have a function like this:

function test (argument) {
    alert('hey')
}   

It will be executable via the URL bar because it's in the window/global scope, which seems to be as far as javascript URI's will go. Whereas if you put that same function in a closure:

(function() {
    function test (argument) {
        alert('hey')
    }       
})()

...it should be inaccessible as far as executing the function in the URL bar goes.

I would be curious to learn the history of why browser vendors implemented Javascript-via-the-URL...it now has practical usage with bookmarklets and the like, but it doesn't seem to be well-documented.