Weblog entry #245 for simonw
See all weblog entries made by simonw.
#245
bookmarks can own your data
Posted by simonw on Tue 29 Apr 2008 at 16:51
Passed me by until now, but bookmarks can contain executable Javascript, a horrid idea called bookmarklets.
IE6 and IE7 have the good sense to warn users about such bookmarks, where as Firefox (and Iceweasel) is happy to allow them without comment.
It isn't clear to this simpleton how wide the scope of the security gap here is, as the bug reports just note that a proper security context isn't created. At the very least you can read information from the current page and send it to a third party when the bookmark is used, because the boss just created one that does exactly that for perfectly legitimate purposes.
I'll create my bookmarks more carefully in future.
Vote here for a warning...
https://bugzilla.mozilla.org/show_bug.cgi?id=371923
More information on this security "feature"...
https://bugzilla.mozilla.org/show_bug.cgi?id=371179
IE6 and IE7 have the good sense to warn users about such bookmarks, where as Firefox (and Iceweasel) is happy to allow them without comment.
It isn't clear to this simpleton how wide the scope of the security gap here is, as the bug reports just note that a proper security context isn't created. At the very least you can read information from the current page and send it to a third party when the bookmark is used, because the boss just created one that does exactly that for perfectly legitimate purposes.
I'll create my bookmarks more carefully in future.
Vote here for a warning...
https://bugzilla.mozilla.org/show_bug.cgi?id=371923
More information on this security "feature"...
https://bugzilla.mozilla.org/show_bug.cgi?id=371179