1

My add-on, AsYouWish injects a global into every page to allow websites to make privileged requests of the browser upon user permission.

I recently discovered that bookmarklets also gain access to such injected variables (injected in the manner I described here).

While this could otherwise be a nice form of interaction to allow for users of my add-on, my concern is for the case where users have granted a particular trusted website privileges but a malicious third-party supplies a bookmarklet to the user which the user runs against the trusted website's context, thereby unwittingly granting privileges to the malicious code (and creating a kind of XSS attack).

Is there any way to either prevent a bookmarklet from gaining access to such globals or to be able to detect from within my injected methods whether the originating context were a bookmarklet or otherwise?

Community
  • 1
  • 1
Brett Zamir
  • 14,034
  • 6
  • 54
  • 77
  • 1
    I don't think this addon would get accepted on AMO man. Did you try? – Noitidart Mar 04 '14 at 05:38
  • I also don't really understand this, bookmarklets are disabled in FF since awhile now. So your addon is adding this feature back? I dont understand why the observer for it, can you give a full working example that demonstrates plz – Noitidart Mar 04 '14 at 05:40
  • 1
    @Noitidart : As far as AMO, I have been waiting close to a year now to get a preliminary review; I have been assured that this review should be happening, and that this level of review is just meant to assure users that this is at least doing what the add-on says and not any more (even if it is risky if sites or users use this unsafely). – Brett Zamir Mar 04 '14 at 06:36
  • @Noitidart: As far as full approval, you are right, I have been told it would not be fully approved because of it being a potential foot-gun (which I can understand...though third party add-ons suffer from the exact same risks, and even more so, given that AYW at least tells you the exact privs it will give). – Brett Zamir Mar 04 '14 at 06:36
  • @Noitidart: I am not adding the bookmarklet feature back, merely injecting a variable into all pages including bookmarklets. As far as bookmarklets being disabled, in FF 27, I am having no trouble using it with AsYouWish. Perhaps you mean that bookmarklets cannot be run from the URL bar as that no longer seems to work, but clicking a link with a bookmarklet does for me (as with `javascript:` links)? – Brett Zamir Mar 04 '14 at 06:39
  • Ah. If you can set me up a working example please I can see how it works and do some research. Ah ya from URL bar it doesnt work but links should work fine. I like scratchpad you can run anything from there. – Noitidart Mar 04 '14 at 06:39
  • You can go to Bookmarks->Show All Bookmarks and click on "Bookmarks toolbar", then click Organize->New bookmark and put the location as say `javascript:alert(document.URL);` Unfortunately, you can't add a keyword to make your bookmarklet more dynamic since as mentioned bookmarklets don't work anymore when typed in the URL; but it will at least be dynamic with the site's contents (FYI, I also just added an AsYouWish one to http://brett-zamir.me/tests2/ayw-bookmarklet.html (and just referenced it from the repo since Github (or Markdown) doesn't display `javascript:` links).) – Brett Zamir Mar 04 '14 at 06:47
  • I've now posted a link to the exact same simple (non-AsYouWish) code within a web page at http://brett-zamir.me/tests2/simple-bookmarklet.html if you prefer to drag it from there instead of manually creating it per my instructions above. – Brett Zamir Mar 04 '14 at 06:59
  • Oh no way! I didn't know that you can still create bookmarklets (a bookmark with js in it)! – Noitidart Mar 04 '14 at 13:59
  • The limitation is no lnks with the javascript: prefix, to prevent from apparently common 'self-XSS' attacks. – therealjeffg Mar 05 '14 at 17:31

0 Answers0