1
Is it safe to use an untrusted bookmarklet on a web page containing sensitive data, for example internet banking page? In particular, can a bookmarklet send the data anywhere or execute some actions (like following links) on the page?
vitaut
Posted 2012-03-01T07:30:31.150
Reputation: 161
6
Is it safe to use an untrusted bookmarklet on a web page containing sensitive data, for example internet banking page?
No.
In particular, can a bookmarklet send the data anywhere or execute some actions (like following links) on the page?
Yes.
A bookmarklet runs some JavaScript as if it were included on the page by the page author (with all the permissions that implies).
Quentin
Posted 2012-03-01T07:30:31.150
Reputation: 1 191
"as if it were included on the page by the page author." I think it can do even more, at least on some browsers it is closer to what a browser extension can do. – Thilo – 2012-03-01T07:34:02.280
2@Thilo Bookmarklets get no special privileges in any of the newer version of IE, Firefox, or Chrome. I'm not as confident about Safari and Opera, but I seriously doubt it. But they are plenty dangerous enough without any special permission if you don't know what they do. Should generally avoid using them on on highly critical websites. – None – 2012-03-01T15:11:54.997
2
No, it is not safe.
A bookmarklet can see everything on the page, read its cookies and its local storage, and interact with the server the page came from (and I even think other servers as well, as the cross-domain-sandboxing may not apply to bookmarklets).
Thilo
Posted 2012-03-01T07:30:31.150
Reputation: 2 975
1The same sandboxing applies to a bookmarklet as would apply to normal Javascript run on the page. – None – 2012-03-01T15:09:23.890
1This isn't really a programming problem, voting to migrate to SuperUser – Darko Z – 2012-03-01T07:36:42.740