PHOBOSLAB

Blog Home

QuickSearch.js – Shortwave for the Paranoid

Shaun Inman just released Shortwave, an “extensible quick-search and shortcut system”. It is quiet similar to YubNub or my PL Cmdline in that you use keywords to trigger different search engines.

The problem with all of these tools is the lack of an anonymity. As soon as you want to define your own commands, you’ll have to create an account (YubNub or PL Cmdline), or even upload a file somewhere on your webspace and tell the app the location of this file every time you search for something (Shortwave). So in theory, every search you do through one of these tools can be logged by the website and traced back to you.

I never put a second thought in how to fix this privacy issue, until I realized that Shortwave makes use of a Javascript bookmarklet. So why not move all the functionality on the client sides bookmarklet, instead of passing all commands and search terms through a website? Shaun Inman thought he knew why not:

All searches pass through the Shortwave domain for one very simple, evil-free reason: if all the triggers and destination urls were embedded in the JavaScript bookmark that bookmark would need to be updated every time a new trigger was added–in every browser and on every computer that uses it. That would be an absolute syncing nightmare.

However, you don’t need to put all commnads into the bookmarklet – instead, just let the bookmarklet load an external Javascript file that you put on your website – just like a waves.txt for Shortwave. Sadly my comment in Shaun’s blog stating this idea was quickly deleted (along with my other comment about an XSS vulnerability on the Shortwave site). So here’s my implementation of a Client Side Shortwave I will just call quicksearch.js for the lack of creativity.

You can create your own quicksearch.js with all the commands you want, upload it anywhere and enter the URL of your uploaded quicksearch.js in the following form to create your bookmarklet.

If you don’t need any additional commands, you can also just use the quicksearch.js from my Server.

Your Bookmarklet: QuickSearch

Again, all the forwarding to the destination URL happens on the client side in the quicksearch.js Javascript. Search terms are not passed through any other website, thus making quicksearch.js completely private.

Monday, July 7th 2008

3 Comments:

#1 – Simon – Monday, July 7th 2008, 14:53

Great, Shortwave looked interesting and I actually used something similar I built myself a couple of years ago (using urls like "domain.com/g/banana"), but I was reluctant to use it because of the privacy issue. Kinda weird to build a closed-source web service for this.

Sorry to hear your comments got deleted. Can't say I'm surprized though. People deleting comments like that give me the itchies.

#2Shaun Inman – Monday, July 7th 2008, 15:51

As I mentioned in my reply email to your deleted comment, I understand and had already replied to your position (your original comment remains). If you want to create your own version of Shortwave based on perceived privacy issues, that's totally cool, I just don't think my comments are the place to discuss it.

Your XSS vulnerability comment was deleted because the issue was immediately fixed (it only affected undefined commands, everything else was already secured).

#3Dominic – Monday, July 7th 2008, 16:13

Sorry, I haven't checked my mails till now and didn't see your reply. I understood that my comment on the XSS vulnerability was deleted, but the deletion of my other comment came to me as a surprise, as it (in my opinion) was neither spam nor off-topic.

Post a Comment:

Comment: (Required)

(use <code> tags for preformatted text; URLs are recognized automatically)

Name: (Required)

URL:

Please type phoboslab into the following input field or enable Javascript. This is an anti-spam measure. Sorry for the inconvenience.