Show a warning when a user tries to bookmark a javascript: url

NEW
Assigned to

Status

()

Core
Security
11 years ago
6 months ago

People

(Reporter: Martijn Wargers (dead), Assigned: dveditz)

Tracking

(Blocks: 1 bug, {sec-want})

Trunk
x86
Windows XP
sec-want
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:want?])

(Reporter)

Description

11 years ago
This is basically a reprise from bug 28387, we might want to reconsider this.
I opened this bug, because of the discussion in bug 371179.
IE gives a confirm dialog when you want to add a bookmarklet to your bookmarks, so maybe we want to do something similar as IE?

Comment 1

9 years ago
I think we should come up with a new UI for "user-script buttons" to replace the concept of bookmarklets.  Mixing these buttons with bookmarks is suboptimal and constraining in many ways.

Updated

8 years ago
Whiteboard: [sg:want?]
Before I file a new bug, I wanted to check if this would be an appropriate bug to hijack.  We want to add UI that would require more explicit action by a user before they can install or execute a bookmarklet.

One option is to add a checkbox per bookmark in the Bookmarks Manager that would be required to be checked before the bookmark is permitted to run script.

Another option is to require a bookmarklet be "installed" before it can run, and to make the bookmarklet installation appear similar or identical to the add-on installation flow.

Let me know if you want a new bug for this, or if we can do the work here.
Given the recent social-engineering aspects of this (and the general suckyness of user warnings, in general), I think we should just disable/ignore attempting to bookmark such URIs (are there other cases? Should we whitelist to just http/https/ftp?) I'd probably be ok with allowing existing bookmarklets to work if it's not a hassle.

One thing I'm not sure of is how successful an attack would be that asks users to modify an existing bookmark to use a js URL. [EG "nice hack to look anyone's facebook page! Just bookmark facebook, blah blah edit it to js:// blah blah, now visit FB and click the special bookmark!"] I suspect that would still work well enough. :( Given that bookmarklets are already kind of an edge-case use (although semi-popular), killing them entirely is something we should consider.
Comment 1 is asking for a different bug to be filed and fixed. Whatever we do for user scripting, bootkmarklets are out there and they won't go away quickly.

/be

Comment 5

6 years ago
For data: URLs, fixing bug 656823 would be better.
Summary: Show a warning when a user tries to bookmark a javascript:/data: url → Show a warning when a user tries to bookmark a javascript: url

Updated

6 years ago
Blocks: 527530
Keywords: sec-want

Comment 6

5 years ago
I filed bug 774065 for comment 1.

Updated

4 years ago
Blocks: 971598

Updated

2 years ago
No longer blocks: 971598

Updated

9 months ago
Duplicate of this bug: 1320447

Updated

7 months ago
Duplicate of this bug: 1329592
You need to log in before you can comment on or make changes to this bug.