Bookmarklet to send page info to another page still triggers popup warning
Categories
(Core :: DOM: Core & HTML, defect, P3)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox91 | --- | affected |
People
(Reporter: eric, Unassigned)
References
(Blocks 1 open bug)
Details
Attachments
(1 file)
|
53.36 KB,
image/jpeg
|
Details |
Capture bookmarklet.JPG
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:91.0) Gecko/20100101 Firefox/91.0
Steps to reproduce:
Load a web page in browser.
Click bookmarklet and enter code at prompt. For example: "ct ELIXA" or "aw" or "gt" or "gg maidhm"
The bookmarklet: javascript:Quixer();%20function%20Quixer(){%20var%20e=encodeURIComponent;%20var%20c=window.prompt('Quixer%20(type%20help%20for%20list%20of%20commands):');%20if(c){%20var%20u='http://www…/quixer.html?c='+e(c)+'&t='+(document.title?e(document.title):'none')+'&u='+(location.href?e(location.href):'none')+'&h='+(location.hostname?e(location.hostname):'none');%20open(u).focus();%20}%20}
Actual results:
"Firefox prevented this site from opening a pop-up window."
Expected results:
The bookmarklet should have been allowed to proceed: "ct ELIXA" would load https://clinicaltrials.gov/ct2/results?term=ELIXA; "aw" would search archive.org for the current page; "gt" would load the current page in Google Translate; "gg maidhm" would search for the Irish word maidhm at teanglann.ie.
This bookmarklet is essential to my work as a medical editor, facilitating quick look-ups of acronyms, trials, doi, etc, as well as for more general use (site-specific search, translation, archive.org search, etc). It is based on the Yoast Quixapp, which was increasingly unreliable and now unavailable. It feeds the string entered in the prompt along with the current page's URL, domain, and title to a javascript page that figures out what to do with the info.
|
Reporter | |
Comment 1•4 years ago
|
||
The problem appears to be with opening a new page. If I add the parameter '_self' to the open() command (and remove the focus() command as no longer needed), ie, open(u,'_self'), it is allowed to work. But that rather defeats much of its usefulness.
Hi Eric,
Thank you for reporting this to us.
I understand that this feature is important to your daily work. I tried to reproduce what you describe copying your code into a new bookmarklet. I was able to see the pop-up window alert, but after choosing to allow pop-up on that specific site, the next time I clicked on the Bookmarklet the alert was gone. Is this pop-up alert triggering more than once while browsing the same page?
What I also noticed is that after I allowed the pop-up, I got an error message stating that it was unable to connect to the xn--www7t7s server. Is this a private/local server? After you accept the pop-up, are you able to see the expected site on your end?
Can you please test if this is reproducible in the latest Nightly version? You can download it here: https://nightly.mozilla.org
Lastly, I found this issue that seems to be similar to what you are describing. Would you be able to take a look and confirm if it is so?
https://bugzilla.mozilla.org/show_bug.cgi?id=1524137
Thanks in advance,
Virginia
|
|
Reporter | |
Comment 3•4 years ago
|
||
What you describe is exactly what I experience as well (except that I have the actual domain name, not "…", which I do not want to publicize – it was originally a locally located page, but Firefox stopped allowing that some time ago). I can indeed allow the page to load, and I can indeed add the current domain to allow such a pop-up (which is just as inconvenient since I may use it on dozens of different domains every day). But that's the problem. It's not a pop-up from the currently displayed domain per se. It's a bookmarklet on my own system – in my own toolbar – and I should be able to run it at will (without simply allowing all pop-ups).
By the way, the "quixer.html" page that the bookmarklet calls consists only (besides the html wrappers) of a javascript function.
Interestingly, entering the "help" command in the bookmarklet prompt works fine. That command simply writes the list of available commands on the quixer.html page with "document.write()". So Firefox seems to allow the new page to load if it does not itself call another page. When I get some time, I'll experiment with other ways to call those new pages.
I've temporarily copied the quixer.html page to another domain for testing, with the bookmarklet:
javascript:Quixer(); function Quixer(){ var e=encodeURIComponent; var c=window.prompt('Quixer (type help for list of commands):'); if(c){ var u='http://www.kirbymountain.com/quixer.html?c='+e(c)+'&t='+(document.title?e(document.title):'none')+'&u='+(location.href?e(location.href):'none')+'&h='+(location.hostname?e(location.hostname):'none'); open(u).focus(); } }
|
|
Reporter | |
Comment 4•4 years ago
|
||
That is, javascript:Quixer();%20function%20Quixer(){%20var%20e=encodeURIComponent;%20var%20c=window.prompt('Quixer%20(typehelpfor%20list%20of%20commands):');%20if(c){%20var%20u='http://www.kirbymountain.com/quixer.html?c='+e(c)+'&t='+(document.title?e(document.title):'none')+'&u='+(location.href?e(location.href):'none')+'&h='+(location.hostname?e(location.hostname):'none');%20open(u).focus();%20}%20}
Hi Eric,
Thanks for reaching out with more feedback. Since the issue I reproduced matches the one you describe, I'll mark this ticket as NEW for visibility.
Feel free to comment back if you have any other new findings, they'll be helpful to continue investigating.
Regards,
Virginia
|
|
Reporter | |
Comment 6•4 years ago
|
||
I did some more analysis. The bookmarklet does not always get a warning, even when loading another page. And remember, the bookmarklet itself loads a new page for running the main script.
Notably, when one of the codes is entered without any string, the new page loads without a warning (as desired). But if a string is added, the page is blocked. For example "gm" will load google maps without a hitch, whereas "gm new york" will get a warning. The former would call (via window.location.replace()) “https://www.google.com/maps?q=” and the latter “https://www.google.com/maps?q=new york”.
Another example "pm" OK, "pm ethnicity" warned: “https://pubmed.ncbi.nlm.nih.gov/?term=([Title])” vs “https://pubmed.ncbi.nlm.nih.gov/?term=(ethnicity[Title])”.
More confusingly still, they very often work fine if repeated! For example, from this bugzilla page, "gm new york" did not work, and I did not proceed with the request. Now it works! "gm georgia" then got a warning. Then I entered just "gm" – no problem, google maps loaded without warning – and then, back on this page, "gm georgia" again and it loaded! Similarly with "pm ethnicity" – OK repeated after "pm" – and then "pm myocarditis" warned (and not proceeded), "pm" again OK, and "pm myocarditis" again OK. But it has to be repeated! "pm" (OK) followed by a new query, eg "pm fibromyalgia", still gets a warning. Then "pm" again, and then "pm fibromyalgia" again, and it's OK.
|
||
Comment 7•4 years ago
|
||
(In reply to Eric Rosenbloom from comment #6)
More confusingly still, they very often work fine if repeated! For example, from this bugzilla page, "gm new york" did not work, and I did not proceed with the request. Now it works! "gm georgia" then got a warning. Then I entered just "gm" – no problem, google maps loaded without warning – and then, back on this page, "gm georgia" again and it loaded! Similarly with "pm ethnicity" – OK repeated after "pm" – and then "pm myocarditis" warned (and not proceeded), "pm" again OK, and "pm myocarditis" again OK. But it has to be repeated! "pm" (OK) followed by a new query, eg "pm fibromyalgia", still gets a warning. Then "pm" again, and then "pm fibromyalgia" again, and it's OK.
I played this a bit, it seems sometimes it works because the bookmarklet action is still within the user gesture time, so if you wait a bit without interacting with the page, then I can see the warning consistently even with "gm". But yeah, it would be good if we could consider the action from the bookmarklet is also a user gesture.
Description
•