No access to bookmarks in BrowserID window makes it impossible to use a password generating bookmarklet to sign in #521

Closed
Mardeg opened this Issue Nov 2, 2011 · 7 comments

Projects

None yet

3 participants

@benadida benadida was assigned Nov 3, 2011
@benadida
Contributor

some thoughts on this: bookmarklets are either fully self-contained, or they pull in some third-party library.

If they're self-contained, then it is very difficult to code that bookmarklet correctly:
http://www.adambarth.com/papers/2009/adida-barth-jackson.pdf

If they're not self-contained, then that means they're including a third-party library, which we are going to disallow via Content-Security-Policy anyways.

So, I think we have to leave things as they are. Closing this issue and marking it WONTFIX.

@benadida benadida closed this Feb 14, 2012
@Mardeg
Mardeg commented Feb 14, 2012

I'm interested in your analysis of the bookmarklet in the URL field at the bugzilla link since it doesn't seem to match any of the case studies given in that PDF.

@benadida
Contributor

@Mardeg do you have a link to a clean version of that code? Parsing the minified JS is a bit hard on the late-night brain :)

@Mardeg
Mardeg commented Feb 16, 2012

It was autogenerated from supergenpass.com a while ago from a form where there were choices on things such as the length of the generated password and whether to "store the master password" or not. I chose not to, obviously, just mentioning it in case there is redundant code in there that isn't called.
The site probably changed how it generates the bookmarklet since then.
Here is a pastebin of the code unminified by hand:

http://pastebin.mozilla.org/1485319

@Mardeg
Mardeg commented Feb 16, 2012

Sorry, missed a minified funciton - http://pastebin.mozilla.org/1485325

@Mardeg
Mardeg commented Feb 19, 2012

An alternative would be to provide a built-in generating tool based on either an existing master password or a prompted oneif remembering passwords is disabled, otherwise a completely random one which would be parity with https://sites.google.com/a/chromium.org/dev/developers/design-documents/password-generation

@jbonacci
Contributor

@benadida or @Mardeg does this need to be reopened since your conversation is recent?

@benadida benadida was unassigned by Mardeg Jan 6, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment