I'm wondering if it's possible to execute code in a bookmarklet in a way
that prevents interference from a hostile web page. Specifically I'm
interested if a secret value can be hidden in bookmarklet that cannot be
intercepted by the page.
My goal is to write password generator (that generates hash(secret +
domain)) and 1-click "vote on this" bookmarklets (which similarly has to
contain secret to prevent CSRF).
I've tried that few years ago, but back then browsers executed Array and
String constructors for literals. This is fixed now, right?
If this were a bookmarklet, would it keep the secret safe?
(function(){
try {
var secret = "secret";
}
catch(e){}
})();
Is there any point fiddling with function's toString? Can I call untrusted
functions without exposing the function in arguments.callee?
How can I ensure that charCodeAt() hasn't been tampered with? To hash
domain I need to iterate over characters in window.location.hostname.
Speaking of window.location.hostname, is it trustworthy? Can someone fake
it with getters, prototypes, variable shadowing or any other trick?
--
regards, porneL
--
To view archived discussions from the original JSMentors Mailman list:
http://www.mail-archive.com/[email protected]/
To search via a non-Google archive, visit here:
http://www.mail-archive.com/[email protected]/
To unsubscribe from this group, send email to
[email protected]
