On Wed, 05 Jan 2011 15:49:49 -0000, ndluthier <[email protected]> wrote:
I'm wondering if it's possible to execute code in a bookmarklet in a
way that prevents interference from a hostile web page. Specifically
I'm interested if a secret value can be hidden in bookmarklet that
cannot be intercepted by the page.
Do your needs require you to do ALL of the processing client-side (in
the bookmarklet) or can you do some server-side processing/
authenticating?
I'm just exploring the problem, so I don't have any hard requirements.
I think whether bookmarklet should be all client-side depends on use-case.
For password generator, it 's probably be better to avoid sending password
over the net and to preserve page's state (which would be lost if you
redirected to server and back).
For capturing of the URL it might be mostly server-side, as long as the
action cannot be spoofed. In the latter case the only simpler method I see
is:
window.location.href = 'http://example.com?secret=1234&url=' +
window.location.href
but:
• it sends same secret every time in plain text (maybe with https it's
good enough),
• it doesn't escape the URL, so it can't send URL fragments and, e.g.,
sites using Google's "crawlable AJAX" URLs, like newtwitter, won't work,
• it's too simple to be an interesting challenge :)
So the next best thing is to send hash of the secret and escape the URL,
which increases complexity significantly.
--
regards, porneL
--
To view archived discussions from the original JSMentors Mailman list:
http://www.mail-archive.com/[email protected]/
To search via a non-Google archive, visit here:
http://www.mail-archive.com/[email protected]/
To unsubscribe from this group, send email to
[email protected]
