Closed Bug 360197 Opened 18 years ago Closed 18 years ago

javascript bookmarks (bookmarklets) seem to run with the security (privilegemanager) context of code on the current page

Categories

(Firefox :: Bookmarks & History, defect)

Product:
Firefox
Component:
Bookmarks & History
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
minor

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: mike+bugzilla, Unassigned)

Details

User-Agent:       Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.1) Gecko/20060601 Firefox/2.0 (Ubuntu-edgy)
Build Identifier: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.1) Gecko/20060601 Firefox/2.0 (Ubuntu-edgy)

It seems that bookmarks, which are local, run with the same security context as the currently-loaded page.

Reproducible: Always

Steps to Reproduce:
0. open the error console
1. create a javascript bookmark (bookmarklet) for conkeror: javascript:netscape.security.PrivilegeManager.enablePrivilege(%22UniversalFileRead%22); window.openDialog('chrome://conkeror/content/');
2. open a window or tab for google.com
3. select the bookmarklet from step 1
Actual Results:  
on the error console: Error: uncaught exception: A script from "http://www.google.com" was denied UniversalFileRead privileges.

Expected Results:  
since the bookmarklet is on the local filesystem, it should run with some sort of file:// context. This should result in a privilegemanager prompt to grant the requested privilege.

Workaround: open a file:// URL before trying the bookmarklet (it still won't work, but that's another problem - I don't think I've figured out the right priv for openDialog(), if there is one).

I don't think this is an exploitable problem.
Running in the page's context is the whole point of javascript: urls (though most uses might be better as onclick even handlers). Bookmarklets are an extension of this. While some do page-agnostic stuff, many are specifically designed to modify the page they are run on (an older incarnation of the impulse that resulted in Greasemonkey)

See http://www.squarefree.com/bookmarklets/ for many such bookmarklets.

As long as the user understands this there should be no problem. But it's not hard to imagine someone being convinced to "bookmark this link" (or "drag this link to the toolbar") to do some whizzy nifty thing on their bank site without grasping the concept of a "malicious bookmark" :-(
Status: UNCONFIRMED → RESOLVED
Closed: 18 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.