Hanfei Sun Hanfei Sun - 1 month ago 10
Javascript Question

In modern browsers, is there any security limitation for JavaScript bookmarklets?

I read an article about bookmarklets which says that bookmarklets are so powerful they can be dangerous. For example, a malicious bookmarklet can collect your "cookies", "localStorage", the string in the password input box and then send it to a remote server, which is similar to "script injection".

I'm curious about that. Since this article was written in 2007 (8 years ago), is there any limitation for bookmarklets (as well as browser plugins) to improve the security in modern browsers?

Answer

Bookmarklets are scripts run by the user. Yes, they can do all of the things you mentioned (limited in the same way that any other code in the page you inject them into is limited), but only when the user triggers them. They are indeed script injection, but script injection by the person in charge of the machine. The user can do at least as much, and really quite a lot more, by opening the browser's developer's tools.

But answering the question you actually asked: No, I don't think any new restrictions have been put on bookmarklets in the last several years.