[Greasemonkey] GM is great, but Security questions - yet again

Aaron Boodman zboogs at gmail.com
Fri Apr 1 11:49:53 EST 2005


Three things:

1) I dont think that gm_xmlhttp changes anything. XSS is no easier
than it was before, which was pretty damned easy. I have asked many
people for their disaster scenarios and nobody has been able to come
up with anything worse than what you could do pre-gm_xmlhttp. David S
has brought up that having gm_xmlhttp accessible to all DHTML (not
just user scripts) makes him uncomformtable, but for no specific
reason. I have to agree. I have an idea of how to fix this, and will
be updating my current patch to .2.6 soon with it.

2) I think the social method of controlling malicious userscripts is
really really good. I'm excited about Jeremy's del.icio.us idea. If
the UI is right, I think it will be really, really hard for evil users
to distribute evil scripts. To that end, I have started sketching a
new UI for greasemonkey which integrates this stuff among other Cool
New Things. I am OmniGraffling it on the bus to and from work and hope
to send a rough draft to the list for comment this weekend.

3) I have an idea for an extension to improve mozilla's security in
general. I wrote about it here:
http://greaseblog.blogspot.com/2005/03/and-now-for-something-less-snarky.html.
This is something I still want to pursue, even with the hole I
mentioned at the end, I think it would still be very useful. We could
encourage greasemonkey users to install it.


More information about the Greasemonkey mailing list