HP Security Products Blog
From applications to infrastructure, enterprises and governments alike face a constant barrage of digital attacks designed to steal data, cripple networks, damage brands, and perform a host of other malicious intents. HP Enterprise Security Products offers products and services that help organizations meet the security demands of a rapidly changing and more dangerous world. HP ESP enables businesses and institutions to take a proactive approach to security that integrates information correlation, deep application analysis and network-level defense mechanisms—unifying the components of a complete security program and reducing risk across your enterprise. In this blog, we will announce the latest offerings from HP ESP, discuss current trends in vulnerability research and technology, reveal new HP ESP security initiatives and promote our upcoming appearances and speaking engagements.

IE's Bookmarklet limits create privacy risk

Bookmarklets are awesome! They are similar to regular bookmarks, but instead of having a normal URL like http:// they use javascript :. This means when you click on the bookmarklet JavaScript code runs. Some common example's of bookmarklets include:




  • Take any word that was highlighted on a webpage and open a new window with the Wikipedia entry for that word


  • Strip all the HTML out of a webpage and only render the images


  • Submit the current URL to a bookmarking site like del.icio.us


The popular Firefox extension, GreaseMonkey is basically a collection of bookmarklets. You can read more about Bookmarklets and see examples on Wikipedia.


Since a bookmarklet is just a javascript : URL with some JavaScript code, it's size is limited by how long a URL can be. All the browsers differ on this limit, with most allowing several kilobytes. However, IE takes the unusual step of specifically crippling the size of a javascript : URL to 508 characters! This
makes it impossible to have complex bookmarklets without resorting to a trick. To load large bookmarklets in IE, the
bookmarklet has to bootstrap a larger JavaScript file by dynamically
creating a SCRIPT tag, and point the source attribute at a file containing the rest of the JavaScript for the bookmarklet. This means IE sends an HTTP request to fetch the rest of the script! This is
actually a privacy violation, because the HTTP request for the larger
JavaScript file will have an HTTP referer (sic) header with the URL of webpage the
person is invoking the bookmarklet on. Depending on the setup, it is possible that a user is telling the bookmarklet creator each and every time they use the bookmark, as well as what website they are using it on.



The bottom line is bookmarklets are a very cool and powerful feature. Any security enhancement gained by limiting their length is far outweighed by the privacy violation it creates.

 

Labels: Bookmark| IE| Privacy
Search
Showing results for 
Search instead for 
Do you mean 
About the Author(s)
HP Blog

HP Software Solutions Blog

Featured


Follow Us
Labels
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.