Log-in: How does the bookmarklet works?

  • 1
  • Question
  • Updated 5 years ago
  • (Edited)
I just successfully subscribed to a feed through the bookmarklet while I wasn't logged in at www.newsblur.com. I wasn't asked my Newsblur password.
I use Firefox with the native password manager and I wasn't asked the password until I tried to log in at www.newsblur.com.
There were no cookies whatsoever before using the bookmarklet.

How does this work?

I expect my browser not being able to subscribe any feed unless I explicitly insert the Newsblur password or I unlock the Firefox password manager. Maybe something is screwed in my setup so I'd like to understand more.

Update:
I'll add that I had registered Newsblur as a feed reader in Firefox, so in "about:config",
"browser.contentHandlers.auto.application/vnd.mozilla.maybe.feed" is set to "https://www.newsblur.com/?url=%s". Same for "browser.feeds.handlers.webservice" and another couple of keys.
Photo of pxlmsc

pxlmsc

  • 45 Posts
  • 1 Reply Like
  • curious

Posted 5 years ago

  • 1
Photo of pxlmsc

pxlmsc

  • 45 Posts
  • 1 Reply Like
Would more details help to provide an answer?
I'm still concerned. I'm available to do some testing if necessary.

On a side note, I could reproduce this behaviour in a slightly different setting too:
I tried to subscribe to a new feed on a separate, "Private Browsing" Firefox instance, where I wasn't logged in the Newsblur website. Then, from a normal Firefox instance I logged in the website, and there I could verify that the new feed had been added to my list.
Photo of John Morahan

John Morahan

  • 86 Posts
  • 27 Reply Likes
There's a secret token in the URL the bookmarklet uses to load the script. eg:
https://www.newsblur.com/api/add_site_load_script/gobbledygook

It seems to identify you based on this token, rather than a session cookie or password:
https://github.com/samuelclay/NewsBlur/blob/master/apps/api/views.py#L88 (I think)
Photo of Samuel Clay

Samuel Clay, Official Rep

  • 6514 Posts
  • 1474 Reply Likes
John is correct.
Photo of pxlmsc

pxlmsc

  • 45 Posts
  • 1 Reply Like
I see. While I can't read that JS code, I now understand the logic, which makes me more comfortable.
Thanks to both of you!