Log-in: How does the bookmarklet works?

I just successfully subscribed to a feed through the bookmarkletwhile I wasn’t logged in at www.newsblur.com. I wasn’t asked my Newsblur password.
I use Firefox with the native password manager and I wasn’t asked the password until I tried to log in at www.newsblur.com.
There were no cookies whatsoever before using the bookmarklet.

How does this work?

I expect my browser not being able to subscribe any feed unless I explicitly insert the Newsblur password or I unlock the Firefox password manager. Maybe something is screwed in my setup so I’d like to understand more.

Update:
I’ll add that I had registered Newsblur as a feed reader in Firefox, so in “about:config”,
“browser.contentHandlers.auto.application/vnd.mozilla.maybe.feed” is set to “https://www.newsblur.com/?url=%s”. Same for “browser.feeds.handlers.webservice” and another couple of keys.

1 Like

Would more details help to provide an answer?
I’m still concerned. I’m available to do some testing if necessary.

On a side note, I could reproduce this behaviour in a slightly different setting too:
I tried to subscribe to a new feed on a separate, “Private Browsing” Firefox instance, where I wasn’t logged in the Newsblur website. Then, from a normal Firefox instance I logged in the website, and there I could verify that the new feed had been added to my list.

There’s a secret token in the URL the bookmarklet uses to load the script. eg:
https://www.newsblur.com/api/add_site_load_script/gobbledygook

It seems to identify you based on this token, rather than a session cookie or password:
https://github.com/samuelclay/NewsBlur/blob/master/apps/api/views.py#L88 (I think)

1 Like

John is correct.

I see. While I can’t read that JS code, I now understand the logic, which makes me more comfortable.
Thanks to both of you!