Bug#556272: epiphany-browser: CVE-2007-1084 bookmarklets cross-site info disclosure
Peter Chapman
pmc8p at virginia.edu
Tue Dec 22 20:58:27 UTC 2009
I do know of a few popular sites that use bookmarklets, such as Delicious
(http://delicious.com/help/bookmarklets). It can be useful for simple,
cross-browser tasks.
Using 2.22.3 the mouseover text (if it's in your toolbar) does warn you:
Executes the script "Bookmarklet Name"
But dragging it to the toolbar produces no warning whatsoever.
In my quick testing, no browser throws a warning when using drag-and-drop. I
agree that there should be some sort of notification that the bookmark being
added contains Javascript and could be malicious.
Peter Chapman
--------------------------------------------------
From: "Mike Hommey" <mh at glandium.org>
Sent: Monday, November 16, 2009 1:00 PM
To: "Michael Gilbert" <michael.s.gilbert at gmail.com>;
<556272 at bugs.debian.org>
Subject: Re: Bug#556272: epiphany-browser: CVE-2007-1084 bookmarklets
cross-site info disclosure
> On Mon, Nov 16, 2009 at 11:48:29AM -0500, Michael Gilbert wrote:
>> so, you're saying that this is a good feature and hence must be kept
>> based on the fact that it is currently available in a lot of browsers
>> (i.e. all gecko-based browsers and no webkit/khtml browsers)?
>
> It works in (at least) safari, IE, Firefox and Opera. I'm pretty sure it
> at least worked before in Konqueror.
>
> Mike
>
>
>
>
>
More information about the pkg-gnome-maintainers
mailing list