Bug#556272: epiphany-browser: CVE-2007-1084 bookmarklets cross-site info disclosure

[Michael Gilbert]

On Mon, 16 Nov 2009 17:34:39 +0100, Mike Hommey wrote:
> On Mon, Nov 16, 2009 at 11:25:04AM -0500, Michael Gilbert wrote:
> > On Mon, 16 Nov 2009 09:53:36 +0100, Josselin Mouette wrote:
> > > Le lundi 16 novembre 2009 à 09:37 +0100, Mike Hommey a écrit : 
> > > > On Mon, Nov 16, 2009 at 09:17:58AM +0100, Josselin Mouette wrote:
> > > > > What’s a bookmarklet? I don’t even know whether epiphany supports this. 
> > > > 
> > > > It's javascript code you bookmark and can run on any site. A bit like
> > > > greasemonkey, but crossbrowser. It's designed to run in the current
> > > > page context, so the security issue here is by design. 
> > > 
> > > Confirmation before saving the bookmarklet to the list of bookmarks? If
> > > so, I’d say epiphany is not affected, since it always ask for
> > > confirmation whenever you bookmark something.
> > 
> > right, but the current dialog doesn't throw up a scary warning saying
> > that the bookmark contains potentially dangerous javascript, so some
> > work would need to be done to implement that.
> > 
> > or, the "safer" solution would be to disallow javascript in bookmarks.
> > who in their right mind needs that (anti)feature anyway???
> 
> It's a very useful feature. There has been some kind of DOM inspector in
> such bookmarks way before firebug existed, 

addons seem like a better place for code/script execution anyway (since
there already warnings about installing/running that stuff). from my
perspective (and from a solid security standpoint) bookmarks should be
static.  i.e. users should get what they expect every single time they
click the bookmark.

> and it has the advantage of being cross browsers.

so, you're saying that this is a good feature and hence must be kept
based on the fact that it is currently available in a lot of browsers
(i.e. all gecko-based browsers and no webkit/khtml browsers)?

mike