在现代浏览器中,JavaScript 小书签是否有任何安全限制?
In modern browsers, is there any security limitation for JavaScript bookmarklets?
我读了一篇关于小书签的 article,它说小书签非常强大,可能很危险。例如,恶意小书签可以收集你的"cookies"、"localStorage"、密码输入框中的字符串,然后将其发送到远程服务器,类似于"script injection".
我对此很好奇。由于这篇文章写于 2007 年(8 年前),书签(以及浏览器插件)是否有任何限制来提高现代浏览器的安全性?
小书签是由用户运行编写的脚本。是的,他们可以做你提到的所有事情(限制方式与你注入它们的页面中的任何其他代码相同),但只有当用户触发它们时。确实是脚本注入,不过是机器负责人的脚本注入。通过打开浏览器的开发人员工具,用户至少可以做同样多的事情,实际上还可以做更多的事情。
但回答您实际提出的问题:不,我认为过去几年没有对小书签施加任何新限制。
内容安全策略无意影响小书签:
Enforcing a CSP policy should not interfere with the operation of user-supplied scripts such as third-party user-agent add-ons and JavaScript bookmarklets.
但有一些意想不到的后果:
Bookmarklets. People love them, and CSP breaks them.
Instapaper, for instance, injects a script tag to load instapapering code from Instapaper's origin. I suspect it would end up injecting CSS as well. Though the bookmarklet itself executes as expected, it's actions on the page are subject to the page's policy, so these loads are likely blocked. That's certainly the case on mikewest.org and github.com.
CSP 阻止 javascript: 个加载外部脚本的协议 URI:
Whenever the user agent would execute script contained in a javascript URI, instead the user agent must not execute the script. (The user agent should execute script contained in "bookmarklets" even when enforcing this restriction.)
Fixing that would make most of my bookmarklets work, but it won't help with bookmarklets associated with services like Pocket and SubToMe. Those bookmarklets load external scripts which will be blocked by GitHub's script-src CSP directive.
script-src 可以通过 运行 小书签代码通过开发者工具或用户脚本绕过,但这不是重点
...although you are limited in what URL you can use to inject a script into certain CSP-protected documents, you can insert ANY text DIRECTLY into the document.
将小书签转换为脚本标签的用户脚本将是另一种解决方法
参考资料
我读了一篇关于小书签的 article,它说小书签非常强大,可能很危险。例如,恶意小书签可以收集你的"cookies"、"localStorage"、密码输入框中的字符串,然后将其发送到远程服务器,类似于"script injection".
我对此很好奇。由于这篇文章写于 2007 年(8 年前),书签(以及浏览器插件)是否有任何限制来提高现代浏览器的安全性?
小书签是由用户运行编写的脚本。是的,他们可以做你提到的所有事情(限制方式与你注入它们的页面中的任何其他代码相同),但只有当用户触发它们时。确实是脚本注入,不过是机器负责人的脚本注入。通过打开浏览器的开发人员工具,用户至少可以做同样多的事情,实际上还可以做更多的事情。
但回答您实际提出的问题:不,我认为过去几年没有对小书签施加任何新限制。
内容安全策略无意影响小书签:
Enforcing a CSP policy should not interfere with the operation of user-supplied scripts such as third-party user-agent add-ons and JavaScript bookmarklets.
但有一些意想不到的后果:
Bookmarklets. People love them, and CSP breaks them.
Instapaper, for instance, injects a script tag to load instapapering code from Instapaper's origin. I suspect it would end up injecting CSS as well. Though the bookmarklet itself executes as expected, it's actions on the page are subject to the page's policy, so these loads are likely blocked. That's certainly the case on mikewest.org and github.com.
CSP 阻止 javascript: 个加载外部脚本的协议 URI:
Whenever the user agent would execute script contained in a javascript URI, instead the user agent must not execute the script. (The user agent should execute script contained in "bookmarklets" even when enforcing this restriction.)
Fixing that would make most of my bookmarklets work, but it won't help with bookmarklets associated with services like Pocket and SubToMe. Those bookmarklets load external scripts which will be blocked by GitHub's script-src CSP directive.
script-src 可以通过 运行 小书签代码通过开发者工具或用户脚本绕过,但这不是重点
...although you are limited in what URL you can use to inject a script into certain CSP-protected documents, you can insert ANY text DIRECTLY into the document.
将小书签转换为脚本标签的用户脚本将是另一种解决方法
参考资料