In Modern Browsers, Is There Any Security Limitation For Javascript Bookmarklets?

I read an article about bookmarklets which says that bookmarklets are so powerful they can be dangerous. For example, a malicious bookmarklet can collect your 'cookies', 'localStor

Solution 1:

Bookmarklets are scripts run by the user. Yes, they can do all of the things you mentioned (limited in the same way that any other code in the page you inject them into is limited), but only when the user triggers them. They are indeed script injection, but script injection by the person in charge of the machine. The user can do at least as much, and really quite a lot more, by opening the browser's developer's tools.

But answering the question you actually asked: No, I don't think any new restrictions have been put on bookmarklets in the last several years.

Solution 2:

The Content Security Policy is not intended to affect bookmarklets:

Enforcing a CSP policy should not interfere with the operation of user-supplied scripts such as third-party user-agent add-ons and JavaScript bookmarklets.

but has some unintended consequences:

Bookmarklets. People love them, and CSP breaks them.

Instapaper, for instance, injects a script tag to load instapapering code from Instapaper's origin. I suspect it would end up injecting CSS as well. Though the bookmarklet itself executes as expected, it's actions on the page are subject to the page's policy, so these loads are likely blocked. That's certainly the case on mikewest.org and github.com.

CSP blocks javascript: protocol URIs which load external scripts:

Whenever the user agent would execute script contained in a javascript URI, instead the user agent must not execute the script. (The user agent should execute script contained in "bookmarklets" even when enforcing this restriction.)

Fixing that would make most of my bookmarklets work, but it won't help with bookmarklets associated with services like Pocket and SubToMe. Those bookmarklets load external scripts which will be blocked by GitHub's script-src CSP directive.

script-src can be circumvented by running bookmarklet code through developer tools or userscripts, but that's besides the point

...although you are limited in what URL you can use to inject a script into certain CSP-protected documents, you can insert ANY text DIRECTLY into the document.

A userscript which converts bookmarklets to script tags would be another workaround

References

• Content Security Policy Level 2

• The Resurrection of Bookmarklets

• Chromium Issue 233903: CSP: Bookmarklets should bypass pages' policies

• Mozilla Bug #866522- Bookmarklets affected by CSP

• Webkit Bug 149000 – Some extensions triggers CSP violation reports

• 333318 - Remove support for BeforeLoad event - chromium - Monorail