[Greasemonkey] Avoiding information leakage

Simon Willison cs1spw at bath.ac.uk
Fri Apr 8 11:49:23 EDT 2005


A potentially useful pattern for greasemonkey scripts is merging 
private data in to public sites. Jon Udell wrote about his desire to 
add private bookmarks to del.icio.us, and I am developing a website 
annotation system using greasemonkey which merges privately stored 
annotations on to public pages:

http://simon.incutio.com/archive/2005/03/30/lightweight

There's one major problem with this kind of technique. If you want to 
merge private data on to public web pages, you do it by modifying the 
page's DOM. What's to stop a script on those pages from waiting until 
you have merged in your private data, then traversing the DOM, 
gathering it and sending it back to a server somewhere? It would be 
trivial, for example, to deploy a script on a public site which 
"steals" supposedly private annotations from my annotation system.

This problem is almost certainly out-of-scope for greasemonkey, but 
it's something that people should be aware of nonetheless. I'm not even 
sure if there's a way of avoiding this using a full-blown extension.

Cheers,

Simon Willison
http://simon.incutio.com/



More information about the Greasemonkey mailing list