Show a warning when a user tries to bookmark a javascript: url

NEW
Assigned to

Status

()

defect
12 years ago
5 months ago

People

(Reporter: martijn.martijn, Assigned: dveditz)

Tracking

(Blocks 1 bug, {sec-want})

Trunk
x86
Windows XP
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:want?])

(Reporter)

Description

12 years ago
This is basically a reprise from bug 28387, we might want to reconsider this.
I opened this bug, because of the discussion in bug 371179.
IE gives a confirm dialog when you want to add a bookmarklet to your bookmarks, so maybe we want to do something similar as IE?

Comment 1

10 years ago
I think we should come up with a new UI for "user-script buttons" to replace the concept of bookmarklets.  Mixing these buttons with bookmarks is suboptimal and constraining in many ways.

Updated

9 years ago
Whiteboard: [sg:want?]
Before I file a new bug, I wanted to check if this would be an appropriate bug to hijack.  We want to add UI that would require more explicit action by a user before they can install or execute a bookmarklet.

One option is to add a checkbox per bookmark in the Bookmarks Manager that would be required to be checked before the bookmark is permitted to run script.

Another option is to require a bookmarklet be "installed" before it can run, and to make the bookmarklet installation appear similar or identical to the add-on installation flow.

Let me know if you want a new bug for this, or if we can do the work here.
Given the recent social-engineering aspects of this (and the general suckyness of user warnings, in general), I think we should just disable/ignore attempting to bookmark such URIs (are there other cases? Should we whitelist to just http/https/ftp?) I'd probably be ok with allowing existing bookmarklets to work if it's not a hassle.

One thing I'm not sure of is how successful an attack would be that asks users to modify an existing bookmark to use a js URL. [EG "nice hack to look anyone's facebook page! Just bookmark facebook, blah blah edit it to js:// blah blah, now visit FB and click the special bookmark!"] I suspect that would still work well enough. :( Given that bookmarklets are already kind of an edge-case use (although semi-popular), killing them entirely is something we should consider.
Comment 1 is asking for a different bug to be filed and fixed. Whatever we do for user scripting, bootkmarklets are out there and they won't go away quickly.

/be

Comment 5

8 years ago
For data: URLs, fixing bug 656823 would be better.
Summary: Show a warning when a user tries to bookmark a javascript:/data: url → Show a warning when a user tries to bookmark a javascript: url

Updated

8 years ago
Blocks: 527530

Comment 6

7 years ago
I filed bug 774065 for comment 1.

Updated

5 years ago
Blocks: self-xss

Updated

4 years ago
No longer blocks: self-xss

Updated

3 years ago
Duplicate of this bug: 1320447

Updated

2 years ago
Duplicate of this bug: 1329592

Updated

2 years ago
Duplicate of this bug: 1401277

Updated

6 months ago
Duplicate of this bug: 1510537
Very old bug and many reporters already reported it. :o
By the way, although it's an one kind of Self-XSS, but I think it need to be RESOLVE. Cause I see it with another angle. There are a lot of cyber cafes, libraries in every countries where everyone can use public computer. Any malicious user can create a bookmark with JS payload with attractive name so that victim can click on it.

In my opinion, it need to be RESOLVE. But thank you for mention me here. :)
You need to log in before you can comment on or make changes to this bug.