[Greasemonkey] Avoiding information leakage

Aaron Boodman zboogs at gmail.com
Fri Apr 8 03:53:17 EDT 2005


I think that the fix that is being talked about for 1.0.3 might be
relevant here. If I understand it right, the desire is to make
separate wrappers around DOM nodes for accessing via chrome and
accessing via content.

If I understand correctly, this means that things which get done to
the content via chrome are invisible to content.

Interesting if so.

-- 
Aaron

On Apr 8, 2005 2:49 AM, Simon Willison <cs1spw at bath.ac.uk> wrote:
> A potentially useful pattern for greasemonkey scripts is merging
> private data in to public sites. Jon Udell wrote about his desire to
> add private bookmarks to del.icio.us, and I am developing a website
> annotation system using greasemonkey which merges privately stored
> annotations on to public pages:
> 
> http://simon.incutio.com/archive/2005/03/30/lightweight
> 
> There's one major problem with this kind of technique. If you want to
> merge private data on to public web pages, you do it by modifying the
> page's DOM. What's to stop a script on those pages from waiting until
> you have merged in your private data, then traversing the DOM,
> gathering it and sending it back to a server somewhere? It would be
> trivial, for example, to deploy a script on a public site which
> "steals" supposedly private annotations from my annotation system.
> 
> This problem is almost certainly out-of-scope for greasemonkey, but
> it's something that people should be aware of nonetheless. I'm not even
> sure if there's a way of avoiding this using a full-blown extension.
> 
> Cheers,
> 
> Simon Willison
> http://simon.incutio.com/
> 
> _______________________________________________
> Greasemonkey mailing list
> Greasemonkey at mozdev.org
> http://mozdev.org/mailman/listinfo/greasemonkey
>


More information about the Greasemonkey mailing list