View Full Version : Cross site javascript privileges and bookmarklets

07-27-2008, 07:46 PM
What privileges do you have when you enter javascript into the address bar?

Does this change when it's a bookmarklet?

What about adding a local script from a bookmarklet - does this occur as a cross-site script?

Does greasemonkey alter this? If so how? Does it just allow cross-site scripting for greasemonkey scripts or does it inject it into the page?


Just trying to alter a company document collaborator to add functionality.

Thanks in advance

07-28-2008, 10:30 AM
I don't know what a:

company document collaborator

is, unless it's someone you work with. I can tell you a bit about pasting javascript into the address bar. As long as it is syntactically correct and refers only to actual objects (in the global scope) on the page, it will work. Anything that you do there (or via a bookmarklet) will happen in the global scope. So, you will not be able to access or define variables that are defined and accessed only within the limited scope of a function already on that page. But if that function is itself in the global scope, you can replace it, this may have unexpected consequences though.

None of this has anything to do with cross site scripting, which I don't really fully understand, but has something to do with actually injecting javascript onto a page by using a non-standard link to it. I believe a page must first have a vulnerability to this though, at least before anything of use to the person attempting to cross site script can be had for the effort.

Cross site scripting is generally nefarious, as is javascript injection through comments in things like guestbooks. There are various methods and good practices to employ in preventing both these threats.

Perhaps if we knew more about what you wanted to accomplish, we could be of more help.

07-28-2008, 05:51 PM
I think I mean cross-domain scripting more than XSS vunerabilities. I'm going to read up some more about it.

The basic idea is to log on to a document collaborator, like 'Aconex', 'Cadweb', or 'Business Collaborator', and to add functionality on top of what exists using javascript:
Hide items to clear the GUI,
Reduce frame size,
Allow resize,
Add search functionality,
Add function to highlight search terms,
Allow easy javascript RegExp search of pages.
Add quick filters.
maybe more.

07-28-2008, 06:02 PM
Sounds ambitious. Bookmarklets should work for at least some of those things, and there may even be some around that will either do the job in some of those cases or be adaptable. Google bookmarklets.