(*** This bug was imported into bugs.kde.org ***) Package: keditbookmarks Version: unknown (using KDE 2.1.2 ) Severity: wishlist Installed from: Debian Package 4:2.1.2-3 (testing/unstable) Compiler: gcc version 2.95.4 20010522 (Debian prerelease) OS: Linux OS/Compiler notes: Linux kernel 2.4.6 Debian woody It would be nice to have support for Bookmarklets in Konqueror such as the ones available at http://www.bookmraklets.com/. Bookmarklets are bookmarks with URI type "javascript" which should execute the JavaScript code in the URI when visited. Bookmarklets are useful for various actions on the current page like sending the page's URL to an HTML validator or mark something in the page or send some text in the page to a search engine's query or sending the page's URL to a search engine's "related pages" query. As well as pop up some Javascript message/dialog boxes and process the input to generate some page or send to some other URL. Of course bookmarklets are mostly useful in the bookmarks toolbar so they should be supported there. (Submitted via bugs.kde.org) (Called from KBugReport dialog. Fields OS manually changed)
*** Bug 34023 has been marked as a duplicate of this bug. ***
*** Bug 28150 has been marked as a duplicate of this bug. ***
low priority as this is quite difficult. but i've got some ideas for how to do it :)
done in latest cvs though you'll need to use keditbookmarks to add the bookmarks currently as konqueror doesn't allow you to add them even after executing them itself :) if you find any bookmarklets that don't work then please add the testcases to this bug report and i'll try to get them working. thanks for the input! Alex
due to security problems with bookmarklets and the lack of time that i've got to do the research required to make them secure i've disabled the feature and re-opened the bug. Alex
ok, given that 8 people have voted for this i've given time to a new way of doing bookmarklets. in the tools menu i'll add a small submenu called mini-tools, related to that menu will be a minitoolsrc file in .kde/share/config, here lines of javascript can be typed in to provide you with javascriptlets. if you have any nice bookmarklets _please_ add them to this bug report. otherwise i'll not even bother as konqi _has_ to come with a good set of mini-tools. Alex
Some bookmarklets which I think might be helpful: From http://www.bookmarklets.com/tools/data/index.phtml : Page Freshness? - this can be useful to know if a project is still being maintained Statusbar Shows URL - some irritating websites don't show the URL, but some text like the page's title in the statusbar. This is extremely annoying IMHO http://www.bookmarklets.com/tools/look/index.phtml : these are all ways to easily modify the pages bg color, disable bg image, change text color,... a lot of sites have colors which don't go together well - at all - and makes reading painful. Page Color... - asks for a bg color Page Color to White - the name says it all Text Color... - this one is an alternative to the two above, and changes the text color instead of the bg image. Remove Background Image - sometimes it's not the bg color, but the bg image which is annoying... Hide All Images - if images are used only for decoration and take a long time to load Hide 468 x 60 Banners - this can be extremely useful, especially on sites owned by internet.com ;-) Text Font to Verdana - to modify some crappy fonts Text Font to Arial - same as above of course
This sounds like a nice feature, but I would highly recommend limiting the capabilities of bookmarklets, and somehow giving people the choice of elevating a bookmarklet's privileges if it requires it. This sounds like a potential security hazard if not properly handled.
Subject: Re: Would like Support for Bookmarklets On Wed, Mar 26, 2003 at 10:24:30AM -0000, Rene Horn wrote: > This sounds like a nice feature, but I would highly recommend limiting the capabilities of > bookmarklets, and somehow giving people the choice of elevating a bookmarklet's privileges if it > requires it. This sounds like a potential security hazard if not properly handled. (rene, this isn't really aimed at you, so don't take it too personally, its a generic comment) this would require waaay too much programming effort for something that is basically pointless i'm getting close to the point of simply closing this bug with a "wontfix" and doing so any time bookmarklets are suggested in the future. i shall do the minitools applet tonight, if there are any complaints about security problems or reverts of my commit i will simply remove all further such wishlist items unless they contain patches. mvg, Alex
Isn't JavaScript in general contains security problems ? There are many things in *nix world that can be have a security problem ( su,apache,ssh etc ) but thats not enough reason to remove them.
I don't really see any security issues with regards ot this at all. JavaScript has no file I/O or network I/O on your machine, the only data it can ever access is cookie files. And because scriptlets have no domain, they could not access any cookies either. So what is the security problem?
Subject: Re: Would like Support for Bookmarklets On Wed, Mar 26, 2003 at 06:54:06PM -0000, Jason Keirstead wrote: > I don't really see any security issues with regards ot this at all. JavaScript has no file > I/O or network I/O on your machine, the only data it can ever access is cookie files. > And because scriptlets have no domain, they could not access any cookies either. > So what is the security problem? the current page is entirely accessable through js. without this ability bookmarklets are useless, and with it they pose a security risk. of course, its the users fault imo if they use a bookmarklet that they are not sure of, but... Alex
Well IMO this is common sense. A bookmarklet is locally stored, it should be no different from a shell script in your home directory when it comes to permissions. Just as you can have a danerous shell script, so could you have a dangerous bookmarklet. Its not like websites can auto-install them.
Subject: Re: Would like Support for Bookmarklets On Wed, Mar 26, 2003 at 07:08:17PM -0000, Jason Keirstead wrote: > Well IMO this is common sense. A bookmarklet is locally stored, it should be no > different from a shell script in your home directory when it comes to permissions. > Just as you can have a danerous shell script, so could you have a dangerous > bookmarklet. Its not like websites can auto-install them. true. thats one thing that having them in mini-tools menu as opposed to just having them in the bookmarks menu itself really helps on. Alex
*** Bug 56453 has been marked as a duplicate of this bug. ***
IE is a good example of evil javascript just search securityfocus ;)
The only reason JS has had so many security problems in IE is that they allow people to insantiate ActiveX objects from JS if the script is run in a "secure zone", and ActiveX objects pretty much can get full access to anything. All the holes in IE revolve around hacking around the "secure zone" so you can do activex junk in an insecure zone... the reality is there is no need for any of the ActiveX junk in the first place and they never should have allowed this.
This discussion gets out of bookmarklet topic so sorry for that but check : http://www.guninski.com/navan-desc.html http://www.greymagic.com/adv/gm012-ie/ http://cert.uni-stuttgart.de/archive/bugtraq/2001/11/msg00115.html There are many more and need no ActiveX which is real security headache btw. And if you do not add a bookmarklet yourself you have no security problem ( existent or non-existent ones ) . Let this message be the last out-of-topic message on this bug btw. Feel free to mail me for personal discussion.
Back to the topic. > Well IMO this is common sense. A bookmarklet is locally stored, it should be no > different from a shell script in your home directory when it comes to permissions. > Just as you can have a danerous shell script, so could you have a dangerous > bookmarklet. Its not like websites can auto-install them. I fully agree and think we should give this feature at least a chance. If it's in a public release once and people the find hundreds of ways how to abuse bookmarklets to breach security even though it can't be accessed and added by websites, can't access any I/O etc. then we can still remove it again. Afaics this is technically impossible so I suggest either adding this feature or proving us wrong.
now in cvs: kdeaddons/konq-plugins/minitools could you if possible please send me your magical minitools bookmarks files when you get a good set of bookmarklets that work with this?, if any javascript in bookmarks doesn't work, simply add them as comments to this bug and i'll look into fixing them. thanks, Alex
*** Bug 57410 has been marked as a duplicate of this bug. ***
From: http://www.squarefree.com/bookmarklets/webdevel.html for example the "ancestors" bookmarklet works perfectly when clicked on the page, but when clicked from bookmarks konqueror tries to search the javacript: link on google. Also, I've got overaddicted to the "edit styles" bookmarklet on the same page, atough I guess that supporting the the mozilla-specific XMLHttpRequest could be too much of work compared to gains. Other highly usefull bookmarklets from the same site: "show_hiddens" and "undisable" from forms section "increment/decrement" from misc "linkify" in log analysis (usefull for viewing any text file..)
Subject: Re: Would like Support for Bookmarklets On Sunday 15 June 2003 17:14, riku.voipio@iki.fi wrote: > ------- Additional Comments From nchip@kos.to 2003-06-15 16:14 ------- > From: > http://www.squarefree.com/bookmarklets/webdevel.html > > for example the "ancestors" bookmarklet works perfectly when clicked on > the page, but when clicked from bookmarks konqueror tries to search the > javacript: link on google. > This bug is closed please open another bug report for this.
*** Bug 65831 has been marked as a duplicate of this bug. ***
On Sunday 15 June 2003 17:14, riku.voipio@iki.fi wrote: > ------- Additional Comments From nchip@kos.to 2003-06-15 16:14 ------- > From: > http://www.squarefree.com/bookmarklets/webdevel.html > > for example the "ancestors" bookmarklet works perfectly when clicked on > the page, but when clicked from bookmarks konqueror tries to search the > javacript: link on google. > This bug is closed please open another bug report for this. ... that i just did. which got immediately closed being a dublicate of this one.
That script works as it should in HEAD (development version) using the minitools bookmarklet plugin (note: that not being done through the bookmarks menu is by design)
Another really handy use for this feature is for sites like Backflip, http://www.backflip.com. They have a piece of javascript that you add to your links bar that allows you to bookmark the current page and store that bookmark on their site.
I think it would be much more useful if bookmarklets can be entered in the location bar and saved in normal bookmarks - **like in any other browser**.
Subject: Re: Would like Support for Bookmarklets On Tue, Dec 30, 2003 at 10:35:59AM -0000, Oded Arbel wrote: > I think it would be much more useful if bookmarklets can be entered in the location bar and saved in normal bookmarks - **like in any other browser**. sorry i'm afraid i disagree due to the security concerns. feel free to post a patch which enables this and adds sandbox levels to kjs. Alex
Subject: Re: Would like Support for Bookmarklets ביום שלישי 30 דצמבר 2003, 12:48, נכתב על ידי lypanov@kde.org: > On Tue, Dec 30, 2003 at 10:35:59AM -0000, Oded Arbel wrote: > > I think it would be much more useful if bookmarklets can be entered in > > the location bar and saved in normal bookmarks - **like in any other > > browser**. > > sorry i'm afraid i disagree due to the security concerns. > feel free to post a patch which enables this and adds sandbox > levels to kjs. Why would this be a security issue ? what the difference between the mini-tools and just storing bookmarklets directly into the regular bookmark file ? And what about directly typing in the location bar ? surely you can't argue that this is a security issue ? if the user types javascript:rm / -rf (if that was possible in javascript), then I think konqueror should joyfully oblige and remove the user's entire file system.
Subject: Re: Would like Support for Bookmarklets On Tue, Dec 30, 2003 at 01:44:22PM -0000, Oded Arbel wrote: > Why would this be a security issue ? what the difference between the > mini-tools and just storing bookmarklets directly into the regular bookmark > file ? 1) mini-tools file has to be editing to add bookmarks. adds a level of indirection that ain't nice to advanced users. 2) it stops the possibility that people will execute javascript: urls without being aware of it. Alex
Subject: Re: Would like Support for Bookmarklets On Tuesday 30 December 2003 16:01, lypanov@kde.org wrote: > > Why would this be a security issue ? what the difference between the > > mini-tools and just storing bookmarklets directly into the regular > > bookmark file ? > > 1) mini-tools file has to be editing to add bookmarks. > adds a level of indirection that ain't nice to advanced > users. Thats what I consider a problem. its not a huge problem as it uses the same editor as the normal bookmark editor, but it's be nice to have everything in the same place and regular bookmarks are more accessable due to the bookmark toolbar. for example I have a bookmarklet that runs babylon.com to translate words that I select in a web page. having this as a button on the toolbar is three times more useful then clicking "tools"->"mini-tools"->"translate" everytime. You seem to imply that bookmarklets by nature are dangerous, a concern I do not understand. why are these more dangerours then regular javascript being run on a web page ? IMO there are less so as the user has to manually add them and then manually invoke them while regular javascripts do not have these limitations. > 2) it stops the possibility that people will > execute javascript: urls without being aware of it. I again fail to see how is that different then having javascripts active in a web page. bookmarklets are even more secure then those. If you are refering to the ability to type "javascript:" commands on the location bar then I fail to see how a user can do that w/o being aware of it.
> 1) mini-tools file has to be editing to add bookmarks. > adds a level of indirection that ain't nice to advanced > users. How can this be considered an advantage? > 2) it stops the possibility that people will > execute javascript: urls without being aware of it. Since any random website can contain Javascript, I fail to see how that increases security in any way. Also I fail to see how an attacker could possibly benefit from that. If an attacker creates some "bad" bookmarklet and hopes the user installs and runs it, it doesn't make any difference wether the bookmarklet is in "minitools" or not. Also the attacker can run the bad Javascript as soon as the victim is on his website, I don't see the point in going the bookmarklet-route at all. If awareness of javascript URLs is important, why not do the obvious and mark them as such (With a special icon for example - or a "js:" prefix) or pop up a "This is a javascript URL you are trying to start" but please include a "never show me this again"-checkbox.
Subject: Re: Would like Support for Bookmarklets On Tue, Dec 30, 2003 at 04:45:51PM -0000, Roland Seuhs wrote: > Since any random website can contain Javascript, I fail to see how > that increases security in any way. Also I fail to see how an attacker > could possibly benefit from that. If an attacker creates some "bad" > bookmarklet and hopes the user installs and runs it, it doesn't make > any difference wether the bookmarklet is in "minitools" or not. Also > the attacker can run the bad Javascript as soon as the victim is on > his website, I don't see the point in going the bookmarklet-route at > all. but not on someone elses site. a minitool otoh. could steal credit card from the current page. Alex
Subject: Re: Would like Support for Bookmarklets ביום שלישי 30 דצמבר 2003, 19:41, נכתב על ידי lypanov@kde.org: > but not on someone elses site. a minitool otoh. > could steal credit card from the current page. Supposedly so, but the user would still have to manually install the "steal credit card" bookmarklet and then manually invoke the untrusted script. and they still can do it with the mini-tools interface, which just makes it two more click to install and two more clicks to run. I don't accept that this is cause enough to add the extra complexity to everyone on the off case that someone would be stupid enough to do the above mentioned steps. I don't see any difference between a malicous bookmarklet and someone putting a keyboard sniffer or a back door program on their site with the title "install me". the users shouldn't be so stupid to install untrusted code w/o examining it, and if they do its not our fault.
Subject: Re: Would like Support for Bookmarklets On Tue, Dec 30, 2003 at 07:47:35PM -0000, Oded Arbel wrote: > I don't see any difference between a malicous bookmarklet and someone putting > a keyboard sniffer or a back door program on their site with the title > "install me". the users shouldn't be so stupid to install untrusted code w/o > examining it, and if they do its not our fault. sorry but this is just flawed thought the user should not have to inspect urls that they add to the bookmarks file. if you want it so much please submit a patch and convince the other konqueror developers to accept it. i won't do so as i have no interest whatsoever in bookmarklets and i've added the basic on peoples request already. mvg, Alex
Subject: Re: Would like Support for Bookmarklets > sorry but this is just flawed thought the user should not have to > inspect urls that they add to the bookmarks file. I understand but I think it not different then other scenarios where user has to show some smarts. > if you want it so much please submit a patch and convince the > other konqueror developers to accept it. i won't do so as i have > no interest whatsoever in bookmarklets and i've added > the basic on peoples request already. Ok. Thanks for all the work you've done, and for patiently putting up with me :-) I'll see what I can do about a patch to get the behavior I want before approaching this bug again.
The main thing I find extremely annoying and lacking in the current bookmarklets support is how out of line it is with the other browsers. In Mozilla or IE you can go to a site like http://www.bookmarklets.com or http://www.google.ca/options/buttons.html and just drag the bookmarklet to your toolbar, boom, you have a nice functional button. Or, you can just right click the link and "Add Bookmark". In Konqueror you can't do either; you have to right click, copy location, launch mini tools editor, paste it in, etc. And there is *no* way at all to add a browser button. This causes problems in two ways. One, it makes it totally inapparant to the new user how they are supposed to add these bookmarklets, so much so that they'd likely think Konqueror doesn't support them. Two, not having the ability to create a browser button enliminates much of the convience of bookmarklets. Really, I totally agree with Oded in that I do not see any security-related reason that JS bookmarks should be restricted; the user has to manually add them, and then has to manually activate them, if they are doing this without checking for possible security holes that is their problem. A good compromise (much better than this mini-tools boondoggle) would be to simply prompt with a Continue / Cancel warning dialog (with a "Do not ask me this again" checkbox) when the user tries to bookmark a javascript: link, and if they click "Continue" then add it to normal bookmarks ( or the toolbar if they dragged it there ). This fixes all the issues I just outlined and also alerts the user to possible security concerns.
Subject: Re: Would like Support for Bookmarklets On Fri, Jan 02, 2004 at 02:42:05PM -0000, Jason Keirstead wrote: > The main thing I find extremely annoying and lacking in the current bookmarklets support is how out of line it is with the other browsers. In Mozilla or IE you can go to a site like http://www.bookmarklets.com or http://www.google.ca/options/buttons.html and just drag the bookmarklet to your toolbar, boom, you have a nice functional button. Or, you can just right click the link and "Add Bookmark". > > In Konqueror you can't do either; you have to right click, copy location, launch mini tools editor, paste it in, etc. And there is *no* way at all to add a browser button. > > This causes problems in two ways. One, it makes it totally inapparant to the new user how they are supposed to add these bookmarklets, so much so that they'd likely think Konqueror doesn't support them. Two, not having the ability to create a browser button enliminates much of the convience of bookmarklets. > > Really, I totally agree with Oded in that I do not see any security-related reason that JS bookmarks should be restricted; the user has to manually add them, and then has to manually activate them, if they are doing this without checking for possible security holes that is their problem. > > A good compromise (much better than this mini-tools boondoggle) would be to simply prompt with a Continue / Cancel warning dialog (with a "Do not ask me this again" checkbox) when the user tries to bookmark a javascript: link, and if they click "Continue" then add it to normal bookmarks ( or the toolbar if they dragged it there ). This fixes all the issues I just outlined and also alerts the user to possible security concerns. please send in patches. i'm not accepting requests on this topic anymore. Alex
See Bug #76423; hopefully, it ends up in the right mailbox this time.
whether or not it ends up in the correct mailbox is of little concern in any case. i'll repeat what i've already said on several occasions. send your patches in to the relevant mailing lists. Alex
I've started a preliminary project exploring the issues. You can get a pre-alpha version that is operational here: http://konqlets.berlios.de/. If you would like to help further its goals, let me know. This project is a KIO that will allow for javascript: URIs. Thanks, Jeff
On January 27, 2005 08:29 pm, Greg Stark wrote: > But my version of konqueror doesn't seem to have the minitool thing. I > can't tell what happened in this bug report in the end after all the > arguments, did it get included or disabled? What version did it appear in? For anyone interested.. I have just hacked in a very easy way to add full javascript: support to Konq. This will make javascript: typed URLs work in the location bar, and will also let normal bookmarks execute as bookmarklets. It is a nasty dcop hack but it seems to work fine. Instructions: 1. Copy the javascript.protocol to your $KDEDIR/share/services directory 2. Copy the javascript.sh to anywhere, and chmod it 755 3. Edit the javascript.protocol file to point at the javascript.sh That's it! Created an attachment (id=9323) javascript.sh Created an attachment (id=9324) javascript.protocol
On January 27, 2005 10:08 pm, Jason Keirstead wrote: > 2. Copy the javascript.sh to anywhere, and chmod it 755 Just a note - the javascript.sh had a bug in it... place quotes around the evalJS line ( make it look like below ), otherwise more complicated scripts fail: dcop $konq $widget evalJS "${1:11}";
why is this marked "fixed"? To me it clearly is not fixed.There are some attachents taht allow "nasty dcop hacks", and IMHO that is far from fixed. IMHO this is only fixed when I can apt-get or urpmi konqueror, and that has bookmarklet support in it. you cannot expect people to fiddle around with .protocol files and .sh files. Even some non-nasty .protocol would suffice for most users. But certainly, an attachement in a bug thread is really not "fixing" this.
This is marked fixed because one of the developers (Alex) has invested considerable time to address the bookmarklet issue and has reached a solution which provides a good balance (at least according to said developer) between the apparent security issues and bookmarklet usability. If you think this is not the case, and are not happy with the current solution that the Konqueror developers have reached, then - as Alex mentioned a few times in the comments (which I hope you had the good sense to read from start to end) - you are free to send patches that integrate your requested behavior and I'm sure the code will be examined and judged on by its merits.
Alex, thank you for your work on the minitools. I had wanted to add a javascript bookmark from Refworks .com. (i've included it below if you would like to look at it). Basically this script takes bibliographic information from a webpage, logs into your Refworks account and stores the information on the Refworks bibliography database. This is a VERY nice tool and it is great to be able to use it (thank you) but it would be even better if more people knew about the tool since this bookmarklet is so easy to save in other webbrowsers (i saw the extensive comments above; and I have nothing to add here except to say these little scripts are very useful). I have a small feature request. Is it possible to have a plugin for Konqueror that would take the same information and download it to a locally run bibligraphic software such as Kbibtex or the not-so-advanced-but-they are-working-on-it-for-next-release bibliographic software of OpenOffice? this would be a phenomenal feature, a true boon to any poor sap like myself who has to read and organize lots of papers. There are proprietary solutions but an open source tool like this would be awesome. Maybe the bookmarklet idea is a good one? i don't have a handle on how hard this project would be to implement or even if this is the right place to bring this up. Thanks again. Refworks bookmark/booklet javascript:var wRWMain1=window.open('','RefWorksBookmark');d=document;i='AddToRWScript';if(d.getElementById(i))RWAddToRW1();else{s=d.createElement('script');s.type='text/javascript';s.src='http://www.refworks.com/refworks/include/addtorw.asp';s.id=i;d.getElementsByTagName('head')[0].appendChild(s);}void(0);
(In reply to comment #46) > This is marked fixed because one of the developers (Alex) has invested > considerable time to address the bookmarklet issue and has reached a solution > which provides a good balance (at least according to said developer) between > the apparent security issues and bookmarklet usability. I have a major problem with this. I think it's fair to have bookmarklets disabled by default, by I think the adult and consenting user should be allowed to enable, at his own risk, fully functional bookmarklets that can sit in the bookmark bar, as with any other browser. Otherwise the adult and consenting user will keep using a different browser. Having bookmarklets available but awkward to use, as currently implemented in minitools, is a bad compromise when it comes to usability. Moreover, the description of konq-plugins 4.4.0 (incl. minitools) says: "These plugins are not part of the official KDE Software Compilation, they are a KDE Extragear software and may get out of sync with Konqueror." I'm not sure whether this still holds but I find it scary.. > > If you think this is not the case, and are not happy with the current solution > that the Konqueror developers have reached, then - as Alex mentioned a few > times in the comments (which I hope you had the good sense to read from start > to end) - you are free to send patches that integrate your requested behavior > and I'm sure the code will be examined and judged on by its merits. Well if you extend this reasoning you can mark most bugs here as "fixed, unless someone out there wants to really fix it", but then what's the point of tracking bugs.. I think a "WON'T FIX" would be more appropriate, but personally I hope that this bug will be reopened. Nevertheless thanks a lot Alex and everybody for the great job!
For the record, the same issue has been solved in rekonq: https://bugs.kde.org/show_bug.cgi?id=250623 I tested it and I could add and use bookmarklets without any warning, so I don't see why it should be a problem to do the same in konqueror..