4

I want to create a Delicious bookmarklet in Firefox that bookmarks the current page with a predefined tag.

For proof of concept, if I enter this url, it works:

https://john:pwd@api.del.icio.us/v1/posts/add?url=http://www.google.com&
    description=http://www.google.com&tags=testtag

But this as a bookmarklet doesn't, I get access denied:

javascript:(

    function()
    {
        location.href = 'https://john:pwd@api.del.icio.us/v1/posts/add?url=' 
            + encodeURIComponent(window.location.href)
            + '&description=' + encodeURIComponent(document.title)   
            + '&tags=testtag';
    }

)()

Is this possible via a javascript bookmark?

Update: I tried this, but still got the access denied error, so it has something to do with Javascript/Firefox.

javascript:(

    function()
    {
        location.href = 'https://john:pwd@api.del.icio.us/v1/posts/add?url='
            + 'http://www.google.com'
            + '&description=' + 'http://www.google.com' + '&tags=testtag';
    }

)()

Update 2: After trying many variations of the above and on different browsers, I still can't get past the access denied message, so offering a bounty.

Michael Paulukonis
  • 9,020
  • 5
  • 48
  • 68
Steve
  • 5,802
  • 12
  • 54
  • 76

2 Answers2

2

I suspect this is Firefox trying to protect you from security issues when running Javascript. When I tried typing in your example into my address bar, Firefox prompted me to ask if I am sure I want to log in to api.del.icio.us.

This other question concerning HTTP auth looks similar to your question, maybe it will help you.

Update:

I used Firebug's Net panel and its Javascript console, and I was able to see the request/response headers.

Here is the request from the Javascript console, which FAILED:

GET /v1/posts/add?url=http://www.spoons.com/&description=forks&tags=knives HTTP/1.1
Host: api.del.icio.us
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://stackoverflow.com/questions/2708950/2740195
Authorization: Basic XXXXXXXXXXXXXXXXX
Cache-Control: max-age=0

And, here is the request from the address bar, which WORKED:

GET /v1/posts/add?url=http://www.spoons.com/&description=forks&tags=knives HTTP/1.1
Host: api.del.icio.us
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Authorization: Basic XXXXXXXXXXXXXXXXX
Cache-Control: max-age=0

The only difference seems to be the Referer header, which caused the access denied response. The setting network.http.sendRefererHeader in Firefox's about.config can be set to 0 which turns off the Referer header. When I tried this, then the Javascript console method started working.

There is a Firefox extension called refspoof which is useful for sending your own custom Referer headers, maybe that can help here.

Community
  • 1
  • 1
Kevin Panko
  • 8,356
  • 19
  • 50
  • 61
  • Thanks for the link. I've tried tracing via Firebug, but really couldn't get anywhere with that as https limits what you can see. When I put the input the url directly, I get the prompt, click OK and it works. When you put it in a bookmarklet, it acts differently. – Steve Apr 30 '10 at 17:44
  • That sounds promising. I'll give it a try tonight. If it works in the console, it should work for a bookmarklet. – Steve Apr 30 '10 at 20:26
  • Thanks! It worked. Not sure if I want to install refspoof, as I don't mind disabling the referrer setting via about:config for now. Maybe I can make an extension that sets it to 0, runs a script and sets it back to 2. Offhand, other than sites not getting credit for being a referrer, what are the consequences for keeping referrer to 0 permanently? I also wonder why Delicious/Yahoo did it this way? – Steve May 01 '10 at 12:54
  • Nevermind, reading up on the referrer option - lots of consequences disabling it. – Steve May 01 '10 at 13:06
  • It is probably a security feature -- if I embed some script on my page that calls their API, I might be able to trick people into bookmarking my page. The referer header may indicate this sort of trickery, so they reject it. – Kevin Panko May 01 '10 at 20:15
  • Yes, that's what someone in Delicious's api forum said to me. Anyways, I would guess the api is subject to change and this might not work pending future changes, but I doubt the Yahoo folks are reading this. Anyways, my motives are not pernicious, but to save myself time. – Steve May 02 '10 at 16:42
1

Looks like you're missing url=.

Jeffery To
  • 11,836
  • 1
  • 27
  • 42
  • I tried your example (with the URL encoded) in Firefox 3.6 and it worked. Are you logged into Delicious with another username? Are you using a Yahoo ID to log into Delicious? – Jeffery To Apr 26 '10 at 01:48
  • It did? Awesome. I'm using FF 3.6.2 and I completely exited FF and tried a non-Yahoo and Yahoo account. Still won't work. For the Yahoo account, I used zzz:pwd and zzz@yahoo:pwd. Also turned off my firewall and didn't work. Did you get a warning messagebox that read "You are about to log in to the site with ... but the website does not require authentication? – Steve Apr 26 '10 at 14:15
  • I tried a non-Yahoo account and it worked (it did show the authentication warning). According to http://delicious.com/help/api Yahoo accounts use a /v2 path and require OAuth. – Jeffery To Apr 26 '10 at 14:37
  • 1
    Maybe you found a bug? I posted this issue to the delicious forum and they said it shouldn't work. http://support.delicious.com/forum/comments.php?DiscussionID=4334&page=1#Comment_18163. Anyways, I tried OAuth, used v2 and got this: Please provide valid credentials. OAuth oauth_problem="unable_to_determine_oauth_type", realm="yahooapis.com". – Steve Apr 26 '10 at 16:42