[Greasemonkey] GM is great, but Security questions - yet again

Edward Lee edilee at gmail.com
Fri Apr 1 15:15:18 EST 2005


On Apr 1, 2005 2:04 PM, Jeremy Dunck <jdunck at gmail.com> wrote:
> Actually, any page can do that using IFrame and form post.  There's
> nothing new about cross-domain requests.  GM_xmlhttpRequest just makes
> it more convenient.   An evil person would not be stopped by the
> IFrame speedbump.

Well, if you're talking about something I did before with IFrames and
POST requests.. the communication is still just 1 way. I suppose you
could still do "evil" things relating to sending information, but a
script cannot access the contents of the IFrame if it's in another
domain. XMLHttpRequests returns a responseText/XML which can be
analyzed, parsed, executed, etc.

Kinda sounds like an idea I had earlier ;) Dynamic user.js files based
on user input/login that use GM_xmlhttpRequests to get more
information from the server for more dynamic scripting. Hrmm.. even
more interesting is that the remote dynamic script returned from the
xmlrequest could have the user script make more GM_xmlhttpRequests.

-- 
Ed


More information about the Greasemonkey mailing list