Need to prevent inadvertent bookmarking of javascript: and data: URLs



12 years ago
a year ago


(Reporter: csthomas, Assigned: neil)


(Depends on: 1 bug, {fixed-seamonkey1.1.8})

Bug Flags:
blocking-seamonkey1.1.8 +

Firefox Tracking Flags

(Not tracked)



(1 attachment)

From firefox bug 371179 (camino is 372020)
> User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; pl; rv:
> Gecko/20061204 Firefox/
> Build Identifier: 
> It should be not possible to bookmark data: and other inline / special URL
> schemes, or, if this functionality is needed, Javascript execution context
> should be properly initialized. Otherwise, such a bookmark, when invoked, will
> be allowed to execute Javascript code in the context of a currently viewed
> resource (Google start page = stealing GMail authentication cookies, for
> example).
> See this demonstration:
> Reproducible: Always
Flags: blocking-seamonkey1.1.2+
Flags: blocking-seamonkey1.0.9+

Comment 1

12 years ago
Assigning to me.


12 years ago
Assignee: nobody → benoit
[Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9a3pre) Gecko/2007022704 Minefield/3.0a3pre] (nightly) (W2Ksp4)

For the record,
I can reproduce the Ctrl+D behaviour with the FF testcase,
and the JS exploit which leads me to <>.

[Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9a3pre) Gecko/20070227 SeaMonkey/1.5a] (nightly) (W2Ksp4)

I can reproduce the Ctrl+D behaviour with the FF testcase,
and not the JS exploit which leads me to <>. (Maybe related to my profile ?)

*(D.o.) Bug 371179, as I guess the SM patch will be based after the FF one.
Component: Bookmarks → Security
Depends on: 371179
OS: Windows XP → All
Hardware: PC → All
Version: 1.8 Branch → Trunk
It would be nice to know what caused the failure for you Serge.
With the latest SM trunk, on Linux, it's the same behavior as with FX.

Maybe redirects you to
With here it fails.

[Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9a3pre) Gecko/20070228 SeaMonkey/1.5a] (nightly) (W2Ksp4)

No redirection.
I tested again, with a new profile, and it succeeded.
I guess the |document.cookie| in <> is "blocked" in my usual profile.
[I don't like JS "playing" with cookies.]

Sorry for my first report:
I didn't try this, because the try+catch masked the exception I get otherwise.
It looks like that demonstration does not explicitly account for secure browser/profile ;-/

Comment 5

12 years ago
What's up here? No action for almost two months on something marked as a blocker? We would strictly be entering code freezes for 1.0.9 and 1.1.2 today, and if we want to hold off those releases for this bug, as the blocking+ flags imply, we badly need a solution. Not tomorrow, but yesterday or some weeks ago, actually!

So, what's the status on this?

Comment 6

12 years ago
Created attachment 262484 [details] [diff] [review]
Fix Add Bookmark

As for Groupmarks, they work by adding new tabs for the bookmarks (and optionally deleting the old tabs), so they always run on a safe context.
Assignee: benoit → neil
Attachment #262484 - Flags: review?(cst)
Comment on attachment 262484 [details] [diff] [review]
Fix Add Bookmark

looks good.
Attachment #262484 - Flags: review?(cst) → review+

Comment 8

12 years ago
[14:08] <BenoitRen> KaiRo: I'm sorry. I'm sorry. I'm sorry. :(
[14:08] <BenoitRen> KaiRo: Read the bugmail. What happened is that I looked at the Firefox patch, got confused, investigated it for a while, and then forgot about it.
[14:08] <BenoitRen> ("Read the bugmail." is meant as paste tense, I didn't add a comment to the bug.)
Comment on attachment 262484 [details] [diff] [review]
Fix Add Bookmark


I'm not sure users will know that a data: url is potentially dangerous even if you show them the dialog
Attachment #262484 - Flags: superreview+

Comment 10

12 years ago
Does this still need to land on the branch(es)?
(In reply to comment #10)
> Does this still need to land on the branch(es)?

[Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv: Gecko/20070504 SeaMonkey/1.0.9] (nightly) (W2Ksp4)
[Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv: Gecko/20070505 SeaMonkey/1.1.2] (nightly) (W2Ksp4)
[Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9a5pre) Gecko/20070504 SeaMonkey/1.5a] (nightly) (W2Ksp4)

Bug still there.


Well :-/
Actually, this patch has not been checked in anywhere yet.

was recently moved to


11 years ago
Flags: blocking-seamonkey1.1.8?

Comment 12

11 years ago
Fix checked in to the trunk.
Last Resolved: 11 years ago
Resolution: --- → FIXED

Comment 13

11 years ago
Should we also be triggering a dialog for "Bookmark this link" and "Bookmark this page" from the context menu?

Comment 14

11 years ago
a=me for SM1.1.8
Flags: blocking-seamonkey1.1.8? → blocking-seamonkey1.1.8+


11 years ago
Attachment #262484 - Flags: approval-seamonkey1.1.8+

Comment 15

11 years ago
Fix checked in to the branch.
Keywords: fixed-seamonkey1.1.8


9 years ago
Flags: blocking-seamonkey1.1.2+
Flags: blocking-seamonkey1.0.9+


a year ago
Duplicate of this bug: 1424650
You need to log in before you can comment on or make changes to this bug.