Hello! As I have done before and also have read in many web sites, that just simply writing:
javascript:alert(document.cookie);
should work on any web page. But now, I was not able to execute it. I have checked it with firefox and chrome. Why it is not possible to do it?
javascript: URLs have been used frequently enough in a malicious fashion ("Hey! There's this new cool thing! Go to your Google Mail inbox and copy and paste this into the address bar!") that recent browser releases have taken steps to change the way they work.
In Chrome (tested v20 on OS X), a copy and pasted "javascript:alert(document.cookie)" url has the javascript: portion removed (MSIE 9 reportedly does similar). Manually re-adding it causes it to work as I'd expect, and shows the (available to Javascript) cookies for the page.
In Firefox, as of ~ Firefox 6.x, javascript: (and data:) urls no longer inherit the security context of the document in the current tab.
See Mozilla Bug 656433 - Disallow javascript: and data: URLs entered into the location bar from inheriting the principal of the currently-loaded page for more background and some debate.
Some alternatives to javascript: URLs:
Browser tools such as the built-in Firefox "Web Console" or "Scratchpad" can be used to inspect and execute Javascript in the context of the current document.
Firebug is a wonderful browser plugin that offers Javascript inspection/execution and more.
In Chrome, the Developer Tools and Javascript Console can be very useful.
