Closed
Bug 360197
Opened 18 years ago
Closed 18 years ago
javascript bookmarks (bookmarklets) seem to run with the security (privilegemanager) context of code on the current page
Categories
(Firefox :: Bookmarks & History, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: mike+bugzilla, Unassigned)
Details
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.1) Gecko/20060601 Firefox/2.0 (Ubuntu-edgy) Build Identifier: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.1) Gecko/20060601 Firefox/2.0 (Ubuntu-edgy) It seems that bookmarks, which are local, run with the same security context as the currently-loaded page. Reproducible: Always Steps to Reproduce: 0. open the error console 1. create a javascript bookmark (bookmarklet) for conkeror: javascript:netscape.security.PrivilegeManager.enablePrivilege(%22UniversalFileRead%22); window.openDialog('chrome://conkeror/content/'); 2. open a window or tab for google.com 3. select the bookmarklet from step 1 Actual Results: on the error console: Error: uncaught exception: A script from "http://www.google.com" was denied UniversalFileRead privileges. Expected Results: since the bookmarklet is on the local filesystem, it should run with some sort of file:// context. This should result in a privilegemanager prompt to grant the requested privilege. Workaround: open a file:// URL before trying the bookmarklet (it still won't work, but that's another problem - I don't think I've figured out the right priv for openDialog(), if there is one). I don't think this is an exploitable problem.
Comment 1•18 years ago
|
||
Running in the page's context is the whole point of javascript: urls (though most uses might be better as onclick even handlers). Bookmarklets are an extension of this. While some do page-agnostic stuff, many are specifically designed to modify the page they are run on (an older incarnation of the impulse that resulted in Greasemonkey) See http://www.squarefree.com/bookmarklets/ for many such bookmarklets. As long as the user understands this there should be no problem. But it's not hard to imagine someone being convinced to "bookmark this link" (or "drag this link to the toolbar") to do some whizzy nifty thing on their bank site without grasping the concept of a "malicious bookmark" :-(
Status: UNCONFIRMED → RESOLVED
Closed: 18 years ago
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•