简体繁体 English

在现代浏览器中，JavaScript 书签是否有任何安全限制？

[英]In modern browsers, is there any security limitation for JavaScript bookmarklets?

原文 2015-11-13 12:50:03 1 2 javascript/ security/ browser/ bookmarklet/ javascript-injection

I read an article about bookmarklets which says that bookmarklets are so powerful they can be dangerous.我读过一篇关于 bookmarklets 的文章，它说 bookmarklets 非常强大，它们可能很危险。 For example, a malicious bookmarklet can collect your "cookies", "localStorage", the string in the password input box and then send it to a remote server, which is similar to "script injection".例如，恶意书签可以收集您的“cookies”、“localStorage”、密码输入框中的字符串，然后将其发送到远程服务器，这类似于“脚本注入”。

I'm curious about that.我对此很好奇。 Since this article was written in 2007 (8 years ago), is there any limitation for bookmarklets (as well as browser plugins) to improve the security in modern browsers?由于这篇文章是在 2007 年（8 年前）写的，书签（以及浏览器插件）是否有任何限制来提高现代浏览器的安全性？

2 个解决方案

Bookmarklets are scripts run by the user .书签是由用户运行的脚本。 Yes, they can do all of the things you mentioned (limited in the same way that any other code in the page you inject them into is limited), but only when the user triggers them.是的，他们可以做你提到的所有事情（限制方式与你注入它们的页面中的任何其他代码都受到限制一样），但仅限于用户触发它们时。 They are indeed script injection, but script injection by the person in charge of the machine .确实是脚本注入，不过是机器负责人的脚本注入。 The user can do at least as much, and really quite a lot more, by opening the browser's developer's tools.通过打开浏览器的开发人员工具，用户至少可以做同样多的事情，实际上还可以做更多的事情。

But answering the question you actually asked: No, I don't think any new restrictions have been put on bookmarklets in the last several years.但是回答您实际提出的问题：不，我认为在过去几年中没有对书签设置任何新的限制。

The Content Security Policy is not intended to affect bookmarklets:内容安全策略无意影响书签：

Enforcing a CSP policy should not interfere with the operation of user-supplied scripts such as third-party user-agent add-ons and JavaScript bookmarklets.执行 CSP 策略不应干扰用户提供的脚本的操作，例如第三方用户代理加载项和 JavaScript 书签。

but has some unintended consequences:但有一些意想不到的后果：

Bookmarklets.书签。 People love them, and CSP breaks them.人们爱他们，而 CSP 打破了他们。

Instapaper, for instance, injects a script tag to load instapapering code from Instapaper's origin.例如，Instapaper 注入了一个脚本标签来从 Instapaper 的来源加载 instapapering 代码。 I suspect it would end up injecting CSS as well.我怀疑它最终也会注入 CSS。 Though the bookmarklet itself executes as expected, it's actions on the page are subject to the page's policy, so these loads are likely blocked.尽管书签本身按预期执行，但它在页面上的操作受页面策略的约束，因此这些加载可能会被阻止。 That's certainly the case on mikewest.org and github.com.在 mikewest.org 和 github.com 上肯定就是这种情况。

CSP blocks javascript: protocol URIs which load external scripts: CSP 阻止加载外部脚本的javascript:协议 URI：

Whenever the user agent would execute script contained in a javascript URI, instead the user agent must not execute the script.每当用户代理执行包含在 javascript URI 中的脚本时，用户代理不得执行该脚本。 (The user agent should execute script contained in "bookmarklets" even when enforcing this restriction.) （即使在强制执行此限制时，用户代理也应执行“书签”中包含的脚本。）

Fixing that would make most of my bookmarklets work, but it won't help with bookmarklets associated with services like Pocket and SubToMe.修复该问题将使我的大部分书签工作，但它不会帮助与 Pocket 和 SubToMe 等服务相关联的书签。 Those bookmarklets load external scripts which will be blocked by GitHub's script-src CSP directive.这些书签加载外部脚本，这些脚本将被 GitHub 的 script-src CSP 指令阻止。

script-src can be circumvented by running bookmarklet code through developer tools or userscripts, but that's besides the point可以通过开发人员工具或用户script-src运行书签代码来绕过script-src ，但这不是重点

...although you are limited in what URL you can use to inject a script into certain CSP-protected documents, you can insert ANY text DIRECTLY into the document. ...尽管您可以使用哪些 URL 将脚本注入某些受 CSP 保护的文档受到限制，但您可以将任何文本直接插入到文档中。

A userscript which converts bookmarklets to script tags would be another workaround将书签转换为脚本标签的用户脚本将是另一种解决方法

References参考