On Wed, 05 Jan 2011 13:00:29 -0600, porneL <[email protected]> wrote:
On Wed, 05 Jan 2011 15:49:49 -0000, ndluthier <[email protected]>
wrote:
I'm wondering if it's possible to execute code in a bookmarklet in a
way that prevents interference from a hostile web page. Specifically
I'm interested if a secret value can be hidden in bookmarklet that
cannot be intercepted by the page.
Do your needs require you to do ALL of the processing client-side (in
the bookmarklet) or can you do some server-side processing/
authenticating?
I'm just exploring the problem, so I don't have any hard requirements.
I think whether bookmarklet should be all client-side depends on
use-case. For password generator, it 's probably be better to avoid
sending password over the net and to preserve page's state (which would
be lost if you redirected to server and back).
For capturing of the URL it might be mostly server-side, as long as the
action cannot be spoofed. In the latter case the only simpler method I
see is:
window.location.href = 'http://example.com?secret=1234&url=' +
window.location.href
but:
• it sends same secret every time in plain text (maybe with https it's
good enough),
• it doesn't escape the URL, so it can't send URL fragments and, e.g.,
sites using Google's "crawlable AJAX" URLs, like newtwitter, won't work,
• it's too simple to be an interesting challenge So the next best thing
is to send hash of the secret and escape the URL, which increases
complexity significantly.
--
regards, porneL
--
I was curious because it seems like you'll keep running into potential
issues running your JavaSript in an untrusted host environment. Instead of
doing work in page's environment, your bookmarklet could instead append an
iframe with a secure page from YOUR domain and do your
authenticating/processing in that document with some sort of cross-domain
communication back to the untrusted page.
I haven't completely thought through this approach, but I think it would
require you to store the secret server-side.
Ben Barber
--
To view archived discussions from the original JSMentors Mailman list:
http://www.mail-archive.com/[email protected]/
To search via a non-Google archive, visit here:
http://www.mail-archive.com/[email protected]/
To unsubscribe from this group, send email to
[email protected]
