IE's Bookmarklet limits create privacy risk

Bookmarklets are awesome! They are similar to regular bookmarks, but instead of having a normal URL like http:// they use javascript :. This means when you click on the bookmarklet JavaScript code runs. Some common example's of bookmarklets include:

• Take any word that was highlighted on a webpage and open a new window with the Wikipedia entry for that word
• Strip all the HTML out of a webpage and only render the images
• Submit the current URL to a bookmarking site like del.icio.us

The popular Firefox extension, GreaseMonkey is basically a collection of bookmarklets. You can read more about Bookmarklets and see examples on Wikipedia.

Since a bookmarklet is just a javascript : URL with some JavaScript code, it's size is limited by how long a URL can be. All the browsers differ on this limit, with most allowing several kilobytes. However, IE takes the unusual step of specifically crippling the size of a javascript : URL to 508 characters! This makes it impossible to have complex bookmarklets without resorting to a trick. To load large bookmarklets in IE, the bookmarklet has to bootstrap a larger JavaScript file by dynamically creating a SCRIPT tag, and point the source attribute at a file containing the rest of the JavaScript for the bookmarklet. This means IE sends an HTTP request to fetch the rest of the script! This is actually a privacy violation, because the HTTP request for the larger JavaScript file will have an HTTP referer (sic) header with the URL of webpage the person is invoking the bookmarklet on. Depending on the setup, it is possible that a user is telling the bookmarklet creator each and every time they use the bookmark, as well as what website they are using it on.

The bottom line is bookmarklets are a very cool and powerful feature. Any security enhancement gained by limiting their length is far outweighed by the privacy violation it creates.