tags:

views:

101

answers:

1
+2  Q: 

What are some design and security considerations to take into account when developing bookmarklets?

I'm trying to design some bookmarklets right now, that connect back to a server (say like magnolia), but by their very nature bookmarklets seem to fly in the face of what's established as internet security, and they are basically cross-site scripting by definition, however they are also powerful and cool tools, and fit the need of my requirements so I want to use them.

However since they are perhaps the ugly-ducklings of Javascript usage, I'm wondering what would be some special considerations and common sense that should be applied in respect to their design and security.

Thanks!

Edit: One policy I have is that the bookmarklet simply will not start if the user is within an https page.

+3  A: 

It's really other people's bookmarklets the user has to worry about. If it's from an untrusted source, you don't know what it might do when activated (stealing cookies or scraping sensitive info.) Since it is your code being injected cross-site, there's no real dangers to you, and only to your users if you put them there deliberately.

Edit:

I would avoid code that might interfere with the host page's global scope, like redefining global objects and prototypes. You can place all of your bookmarlet code within a function block to restrict its scope:

(function(){

// your code

})()

Any variables and functions defined within that block won't interfere with the host page, unless you dip into global objects and prototypes, DOM, etc. If you post an example where you might need to do this, we could possibly help with refactoring.

Zach  2009-01-22 03:03:46
I'm also concerned about functionality clashing, say the host page redefines basic prototypes, then my scripts might act weird. Any idea how to play it safe here?
Robert Gould  2009-01-22 03:08:33
Thanks for the explanation, now that you mention it the closure will give me the protection required! As for code, I'm still on the drawing board right now :)
Robert Gould  2009-01-22 03:38:58

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security