javascript bookmarks (bookmarklets) seem to run with the security (privilegemanager) context of code on the current page




Bookmarks & History
12 years ago
12 years ago


(Reporter: Michael Blakeley, Unassigned)


Firefox Tracking Flags

(Not tracked)




12 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.1) Gecko/20060601 Firefox/2.0 (Ubuntu-edgy)
Build Identifier: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.1) Gecko/20060601 Firefox/2.0 (Ubuntu-edgy)

It seems that bookmarks, which are local, run with the same security context as the currently-loaded page.

Reproducible: Always

Steps to Reproduce:
0. open the error console
1. create a javascript bookmark (bookmarklet) for conkeror:; window.openDialog('chrome://conkeror/content/');
2. open a window or tab for
3. select the bookmarklet from step 1
Actual Results:  
on the error console: Error: uncaught exception: A script from "" was denied UniversalFileRead privileges.

Expected Results:  
since the bookmarklet is on the local filesystem, it should run with some sort of file:// context. This should result in a privilegemanager prompt to grant the requested privilege.

Workaround: open a file:// URL before trying the bookmarklet (it still won't work, but that's another problem - I don't think I've figured out the right priv for openDialog(), if there is one).

I don't think this is an exploitable problem.
Running in the page's context is the whole point of javascript: urls (though most uses might be better as onclick even handlers). Bookmarklets are an extension of this. While some do page-agnostic stuff, many are specifically designed to modify the page they are run on (an older incarnation of the impulse that resulted in Greasemonkey)

See for many such bookmarklets.

As long as the user understands this there should be no problem. But it's not hard to imagine someone being convinced to "bookmark this link" (or "drag this link to the toolbar") to do some whizzy nifty thing on their bank site without grasping the concept of a "malicious bookmark" :-(
Last Resolved: 12 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.