[Greasemonkey] GM is great, but Security questions - yet again

Edward Lee edilee at gmail.com
Fri Apr 1 16:04:53 EST 2005

On Apr 1, 2005 3:47 PM, Aaron Boodman <zboogs at gmail.com> wrote:
> @include *citibank.com/*

Hrmmm... Interesting situation.. Theres nothing really preventing this
from happening in an extension either. While the source is easily
viewable to anyone who uses extensions/user scripts, something could
be hidden to do something like that. It can be a very short line of
code, or like what I was saying earlier, dynamic remote scripting by
sending commands through the xmlhttprequest.

Also, the default @include is *, and plenty of scripts are not site
specific, so just letting the user know which sites it'll run on
wouldn't be too useful.

But then again, we're working with xmlhttprequests ? I wonder if they
can even send httpS which most likely is what is being used.


More information about the Greasemonkey mailing list