Bug#556272: epiphany-browser: CVE-2007-1084 bookmarklets cross-site info disclosure

Mike Hommey mh at glandium.org
Mon Nov 16 16:34:39 UTC 2009


On Mon, Nov 16, 2009 at 11:25:04AM -0500, Michael Gilbert wrote:
> On Mon, 16 Nov 2009 09:53:36 +0100, Josselin Mouette wrote:
> > Le lundi 16 novembre 2009 à 09:37 +0100, Mike Hommey a écrit : 
> > > On Mon, Nov 16, 2009 at 09:17:58AM +0100, Josselin Mouette wrote:
> > > > What’s a bookmarklet? I don’t even know whether epiphany supports this. 
> > > 
> > > It's javascript code you bookmark and can run on any site. A bit like
> > > greasemonkey, but crossbrowser. It's designed to run in the current
> > > page context, so the security issue here is by design. 
> > 
> > Confirmation before saving the bookmarklet to the list of bookmarks? If
> > so, I’d say epiphany is not affected, since it always ask for
> > confirmation whenever you bookmark something.
> 
> right, but the current dialog doesn't throw up a scary warning saying
> that the bookmark contains potentially dangerous javascript, so some
> work would need to be done to implement that.
> 
> or, the "safer" solution would be to disallow javascript in bookmarks.
> who in their right mind needs that (anti)feature anyway???

It's a very useful feature. There has been some kind of DOM inspector in
such bookmarks way before firebug existed, and it has the advantage of
being cross browsers.






More information about the pkg-gnome-maintainers mailing list