Closed Bug 41919 Opened 24 years ago Closed 24 years ago

4xp Javascript in location bar and bookmarks cannot access current page

Categories

(Core :: DOM: Core & HTML, defect, P3)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86
Windows NT
Type:
defect

Tracking

()

Status:
VERIFIED DUPLICATE of bug 31818

People

(Reporter: tpowellmoz, Assigned: security-bugs)

References

(
URL
)

Details

From Bugzilla Helper:
User-Agent: Mozilla/4.61 [en] (WinNT; I)
BuildID:    2000060608

Typing a javascript url into the location bar or accessing a bookmark containing 
a javascript url (often called a bookmarklet) cannot act on the currently loaded 
html document page.

Reproducible: Always
Steps to Reproduce:
1. Load a page with a form and javascript functions defined.
2. Try to access the form or call the functions by typing a javascript url in 
the location bar or accessing a javascript bookmark.


Actual Results:  This generates an empty JavaScript error:
XUL/Content JavaScript: JavaScript Error: line 0, column 0: Source line:

It is common for bookmarklets to act on and change known form elements in a 
page. Some editors of the Open Directory Project (dmoz.org) use them 
extensively. It is also common to type javascript:alert urls to check values on 
a loaded page for debugging. Sometimes it is useful to  type things like 
javascript:myFunction() in the location bar to call the myFunction function 
defined on the current page.

These javascript urls work in Netscape 4.x and IE.

I don't believe it is a security issue for the local machine to have access to 
any document through javascript urls or bookmarks. And it seems like pages in 
the same domain should also have such access (I think this was common in 4.x.) 
so you could do something like javascript:opener.setMyValues(). There need to be 
security restrictions between secure and insecure pages.

A bug like this for secure pages is 33940. Bugs with bookmarklets not 
functioning (and different types of errors) are 33224 and 30544.
The supplied URL does work if you click on the "URL:" link next to the URL field
above, but if you copy the javascript: url into the URL bar you get the reported
error. This is most likely due to the security problems with javascript url's,
confirming and reassigning to mstoltz for investigation.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Hmm, reassigning for real this time...
Assignee: jst → mstoltz
All right, this bug has been filed about six times. I'm working on a fix right 
now.


*** This bug has been marked as a duplicate of 31818 ***
Status: NEW → RESOLVED
Closed: 24 years ago
Resolution: --- → DUPLICATE
Verified Duplicate.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.