On 19/02/14 20:56, Mitar wrote: > This change effectively allows a website to prevent bookmarklets from > working. In essence, content providers can prevent users to execute > their own bookmarklets and change how website behaves. It requires > users to use extensions and not simple scripts.
Interestingly Mozilla Firefox has since 2009 allowed website which implement Content Security Policy (CSP) to prevent users to execute their own bookmarklets - albeit by mistake! https://blog.mozilla.org/security/2009/06/19/shutting-down-xss-with-content-security-policy/#comment-105895 Before a bug fix, even Firebug was subject to CSP: http://code.google.com/p/fbug/issues/detail?id=6291 Facebook have also implemented something similar (not using CSP) for webkit browsers (namely Google Chrome). They are using the browser's console API to prevent JavaScript execution in the developer console. https://stackoverflow.com/questions/21692646/how-does-facebook-disable-browsers-integrated-developer-tools On 19/02/14 23:39, Gregory Maxwell wrote: > There are other ways of dealing with fringe liabilities, go insure > against it— for example. Shackling the users control of their own > devices and their own experience on the internet shouldn't be an > acceptable solution. > The 5th principle of the Mozilla manifesto is "Individuals must have the ability to shape the Internet and their own experiences on the Internet". It will be interesting to see what may happen if web specifications which contradict the principle are approved. I speculate that it may be argued that the principle is still upheld as CSP can trivially be disabled in the config. https://www.mozilla.org/en-US/about/manifesto/ -- musalbas https://twitter.com/musalbas -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.