This seems stupid. They should have restricted everything that a webpage can not access by default either. Not all. The hack against this seems even more braindead.
related