Closed Bug 209029 Opened 22 years ago Closed 22 years ago

Boomarklet opening Bugzilla erroneously sends a referer

Categories

(SeaMonkey :: Bookmarks & History, defect)

Product:
SeaMonkey
Component:
Bookmarks & History
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 122668

People

(Reporter: glazou, Assigned: p_ch)

Details

1. start Mozilla
2. add the following bookmarklet to your personal bookmark toolbar

   name of bookmark: bugzilla
   url: javascript:aa=prompt(%22File
Name?%22,%22%22);window.location=%22http://bugzilla.mozilla.org/show_bug.cgi?id=%22+aa;void(0)

3. open URL http://www.slashdot.org/
4. click on bookmarklet in personal bookmark toolbar and enter a bug number
   for instance 137092

Expected result : bugzilla bug 137092 displayed
Actual result: message "Sorry, links to Bugzilla from Slashdot are disabled."

Since the bugzilla bug is not downloaded by a click in the slashot page, the
slashot referer should probably not be included in the request...
Bookmarklets just execute in the JS context of the page.  There is no way to
tell a bookmarklet apart from typing the javascript: url in the URL bar, and no
way to tell either apart from the page itself executing some JS.

The JS context thing is necessary for the bookmarklet to have access to the page
DOM (if it's not in the JS context of the page, and not running as chrome, the
security system blocks it).

Running bookmarklets as chrome has been discussed, but it would open such huge
gaping security holes (via trivial social engineering) that it was decided against.
Dupe of bug 122668?
Yup.

*** This bug has been marked as a duplicate of 122668 ***
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → DUPLICATE
Product: Browser → Seamonkey
You need to log in before you can comment on or make changes to this bug.