Add a bookmark that is only javascript, not a URL - javascript

I'm thinking that the reason I can't do this is because it might be a huge security hole, but here goes...
I want to have a bookmark on my browser (FF3, preferably) that is only a snippet of javascript code. It would merely construct a URL based on the current date and then do a window.location = on that URL.
I know that I could make a page and keep it on my local machine and just refer to it that way, but I was just wondering if you could bypass that step and actually have the "location" of the bookmark really just be javascript. I could have sworn that this was possible years ago, but I can't find anything that tells me either way now.

What you want is a bookmarklet they are easy to create and should work in most major browsers.
Edit: Stack overflow seems not to allow creating bookmarklets in the context of the site, basically you can create a new bookmark and type the following in the location field
javascript:window.location='http://www.google.com/search?q='+Date()
to get a bookmarklet that searches google for the current date.

It is worthy of note that you can put that in a function wrapper as well. imranamajeed nicely illustrated that for us... but apparently I'm too new to the site to up his post. :P
so for clarity:
javascript:(function(){
location.href = location.href + "#";
})();
(the carriage returns did not affect performance in chrome and IE)

One minor catch. IE can only handle a 508 character URL in this format. If you save it in IE with a url longer than this, it will truncate without warning and thus fail.
If you need a really complex script, you'll need to use a "hosted" bookmarklet, where you have a short bookmark that injects a script tag into the page, to "call" your hosted bookmarklet.
It isn't as nice/portable, but its the only workaround.

Google Bookmark
javascript:(function(){var%20a=window,b=document,c=encodeURIComponent,d=a.open("http://www.google.com/bookmarks/mark?op=edit&output=popup&bkmk="+c(b.location)+"&title="+c(b.title),"bkmk_popup","left="+((a.screenX||a.screenLeft)+10)+",top="+((a.screenY||a.screenTop)+10)+",height=420px,width=550px,resizable=1,alwaysRaised=1");a.setTimeout(function(){d.focus()},300)})();

Well, I just created a bookmark in FF3, went back and updated it and added the following test:
javascript:alert('Wacky%20test%20yo');
Low and behold, after I saved and loaded, I was able to get my alert.
I'm sure you can work up something similar for your needs.

Related

Is it possible to overwrite the window.location.hostname value in JS

I am looking for a way to fool a web page, more precisely a js module in spanking it to believe that it is on another domain name. I documented myself and I came across pkusieur forum which spoke of overwrite the variable window.location.hostname. I unfortunately did not find any answer to my question. Did I orient myself well? Can somebody solve my problem?
Thank you in advance.
EDIT
I can use explorer like firfox or chrome or use a spécifique python module for create a appilcation can do this.
You can directly change window.location.hostname, however doing so will cause the browser to actually navigate to the new URL.
You can't have window.location reflect a value that isn't the actual location of the browser.
Modifying window.location.xy results in page-reload:
console.log(window.location.hostname);
console.log(window.location.hostname="example.com");
console.log(window.location.hostname);
(In the JS console you can see that the value remains unchanged for the snippet itself, but then the page reloads from example.com)
My goal is not to redirect but I want to stay on www.example.com but the js import code is veiled www.fakeSite.com #tevemadar.
I think you would need to change origin for that, and it is the only read-only part of Location exactly for making that impossible. You want to circumvent CORS to my understanding.
I do not suggest using it, but if you desperately need some hack to test something, check https://cors-anywhere.herokuapp.com/

Bookmarklet to make URL from Clipboard content

I'm trying to make a Bookmarklet to grab an id value from the Clipboard, and navigate to a URL that is built with that id.
javascript:(function(){
window.location="index.php?module=Accounts&action=DetailView&record="
+ clipboardData.getData('Text');
})()
(this is only supposed to work when clicked on a specific site that is expecting that URL form)
The basics of the Bookmarklet are working fine, the tricky part is getting the Clipboard value, because clipboardData is not working.
I am using Firefox v64 (although I would like this to be generic across more browsers, at least modern ones).
Now, upon searching about this issue I realize what I'm trying to do is not as simple as it seems - clipboard API's in browsers are a tricky issue. I found several answers about this, the best one seems to be this:
JavaScript get clipboard data on paste event (Cross browser)
I also tried this one but couldn't get it to work either: https://stackoverflow.com/a/27908501/1189711
My question here is: are any of those techniques applicable in a Bookmarklet? If so, I would appreciate some help with this. My skills in Javascript are too low to understand how to translate these answers to my case - namely the asynchronous stuff.
PS - if someone wants a place to test this, just put 84f1bb99-7017-e8dc-94f9-5c179da9f102 in your clipboard and try it on this demo site, credentials will/will.
Clipboard copy cannot works from scripts. It must comes from an user action.
Similary, in the same way, you can't call a fullscreen from a bookmarklet.
From the Firefox console:
document.execCommand(‘cut’/‘copy’) was denied because it was not
called from inside a short running user-generated event handler.
I try this method and it works:
SAME WINDOWS:
javascript:location.href='https://www.ricerca.com?search%27+escape(location.href)
NEW WINDOWS: (by https://9to5answer.com/window-location-href-and-window-open-methods-in-javascript)
window.open()
javascript:window.open("https://www.ricerca.com?search="+window.getSelection());

Add a bookmark containing JavaScript, not a URL

I want to have a bookmark on my browser (Firefox 3 or Chrome preferably) that is only a snippet of JavaScript code. It would construct a URL based on the current date and then do a window.location =  on that URL.
I know that I could make a page and keep it on my local machine and just refer to it that way, but I was wondering if you could bypass that step and actually have the location of the bookmark really just be JavaScript. I could have sworn that this was possible years ago, but I can't find anything that tells me either way now.
You can do that by adding this to your favorites:
javascript:(function(){document.location.href="http://stackoverflow.com";})()
The correct name for this kind of bookmarks is favelets. For some more inspiration check out this collection of favelets.
Use as your bookmark’s address javascript:window.location='https://www.google.com/search?q='+Date();
to create a bookmarklet that searches Google for the current date and time.

jQuery on MTurk, why does Chrome report "Unsafe JavaScript attempt to access frame with URL"?

I'm doing a couple of things with jQuery in an MTurk HIT, and I'm guessing one of these is the culprit. I have no need to access the surrounding document from the iframe, so if I am, I'd like to know where that's happening and how to stop it!
Otherwise, MTurk may be doing something incorrect (they use the 5-character token & to separate URL arguments in the iframe URL, for example, so they DEFINITELY do incorrect things).
Here are the snippets that might be causing the problem. All of this is from within an iframe that's embedded in the MTurk HIT** (and related) page(s):
I'm embedding my JS in a $(window).load(). As I understand it, I need to use this instead of $(document).ready() because the latter won't wait for my iframe to load. Please correct me if I'm wrong.
I'm also running a RegExp.exec on window.location.href to extract the workerId.
I apologize in advance if this is a duplicate. Indeed - after writing this, SO seems to have a made a good guess at this: Debugging "unsafe javascript attempt to access frame with URL ... ". I'll answer this question if I figure it out before you do.
It'd be great to get a good high-level reference on where to learn about this kind of thing. It doesn't fit naturally into any topic that I know - maybe learn about cross-site scripting so I can avoid it?
** If you don't know, an MTurk HIT is the unit of work for folks doing tasks on MTurk. You can see what they look like pretty quick if you navigate to http://mturk.com and view a HIT.
I've traced the code to the following chunk run within jquery from the inject.js file:
try {
isHiddenIFrame = !isTopWindow && window.frameElement && window.frameElement.style.display === "none";
} catch(e) {}
I had a similar issue running jQuery in MechanicalTurk through Chrome.
The solution for me was to download the jQuery JS files I wanted, then upload them to the secure amazon S3 service.
Then, in my HIT, I called the .js files at their new home at https://s3.amazonaws.com.
Tips on how to make code 'secure' by chrome's standards are here:
http://developer.chrome.com/extensions/contentSecurityPolicy.html
This isn't a direct answer to your question, but our lab has been successful at circumventing (read hack) this problem by asking workers click on a button inside the iframe that opens a separate pop-up window. Within the pop-up window, you're free to use jQuery and any other standard JS resources you want without triggering any of AMT's security alarms. This method has the added benefit of allowing workers to view your task in a full-sized browser window instead of AMT's tiny embedded iframes.

Automatically eval a local script on a specific URI in Firefox

I want to improve an existing website (I have no access to) by using my own javascript.
This means I have to add an < script > to the < head >. I am currently doing this by clicking on a bookmark which has something like this as its target:
javascript: if(document.createElement){
void(head=document.getElementsByTagName('head').item(0));
void(script=document.createElement('script'));
void(script.src='http://local/script.js');
void(script.type='text/javascript');
void(head.appendChild(script));
} // i added some spacer to make it readable
This works fine, but since i've got a lot of different scripts it gets complicated to organize them.
I am now looking for a way to automatically insert a defined script-uri if the top.location.href matches a given string.
Is there a way firefox can do something like this - maybe with the help of an add-on?
Userscripts are what you're looking for. Use Greasemonkey for Firefox to run your own script on specific sites.
https://addons.mozilla.org/en-US/developers/docs/sdk/1.12/modules/sdk/page-mod.html uses the add-on sdk, and provides precisely what you're looking for (i.e. an easy way to attach a script to a webpage if it matches a given domain). That gives you the option of making your addon a standalone one easily; moreover, if you were to extend its functionality significantly, the addon sdk would certainly be the way to go!

Categories