在现代浏览器中，JavaScript小书签是否有安全限制? [英] In modern browsers, is there any security limitation for JavaScript bookmarklets?

问题描述

我阅读了有关小书签的文章这说明小书签功能如此强大，可能会很危险.例如，恶意的书签可以收集您的"cookie"，"localStorage"和密码输入框中的字符串，然后将其发送到远程服务器，类似于脚本注入".

I read an article about bookmarklets which says that bookmarklets are so powerful they can be dangerous. For example, a malicious bookmarklet can collect your "cookies", "localStorage", the string in the password input box and then send it to a remote server, which is similar to "script injection".

我对此很好奇.自从这篇文章写于2007年(八年前)以来，书签(以及浏览器插件)在提高现代浏览器的安全性方面是否有任何限制?

I'm curious about that. Since this article was written in 2007 (8 years ago), is there any limitation for bookmarklets (as well as browser plugins) to improve the security in modern browsers?

推荐答案

书签是由用户运行的脚本.是的，它们可以完成您提到的所有操作(以与您注入它们的页面中任何其他代码相同的方式进行限制)，但只能在用户触发它们时进行.它们确实是脚本注入，但是由机器负责人进行脚本注入.通过打开浏览器的开发人员工具，用户至少可以做很多事情，甚至可以做很多事情.

Bookmarklets are scripts run by the user. Yes, they can do all of the things you mentioned (limited in the same way that any other code in the page you inject them into is limited), but only when the user triggers them. They are indeed script injection, but script injection by the person in charge of the machine. The user can do at least as much, and really quite a lot more, by opening the browser's developer's tools.

但是回答您实际提出的问题:不，我认为最近几年对小书签没有任何新的限制.

But answering the question you actually asked: No, I don't think any new restrictions have been put on bookmarklets in the last several years.

这篇关于在现代浏览器中，JavaScript小书签是否有安全限制?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！