I’m trying to design some bookmarklets right now, that connect back to a server (say like magnolia), but by their very nature bookmarklets seem to fly in the face of what’s established as internet security, and they are basically cross-site scripting by definition, however they are also powerful and cool tools, and fit the need of my requirements so I want to use them.
However since they are perhaps the ugly-ducklings of Javascript usage, I’m wondering what would be some special considerations and common sense that should be applied in respect to their design and security.
Thanks!
Edit: One policy I have is that the bookmarklet simply will not start if the user is within an https page.
It’s really other people’s bookmarklets the user has to worry about. If it’s from an untrusted source, you don’t know what it might do when activated (stealing cookies or scraping sensitive info.) Since it is your code being injected cross-site, there’s no real dangers to you, and only to your users if you put them there deliberately.
Edit:
I would avoid code that might interfere with the host page’s global scope, like redefining global objects and prototypes. You can place all of your bookmarlet code within a function block to restrict its scope:
Any variables and functions defined within that block won’t interfere with the host page, unless you dip into global objects and prototypes, DOM, etc. If you post an example where you might need to do this, we could possibly help with refactoring.