[Greasemonkey] GM_xmlhttpRequest-induced Firefox crash

Nikolas Coukouma lists at atrus.org
Tue Apr 26 02:36:55 EDT 2005


Edward Lee wrote:

>On 4/25/05, Tony Chang <tony at ponderer.org> wrote:
>  
>
>>Disabling GM_xmlhttpRequest doesn't increase security.
>>    
>>
>
>Not entirely true. Hidden images, iframes do allow sending data out
>from the current page, but (GM_)xmlhttprequests allow data to be
>received and analyzed. Unless you're opening an iframe to the same
>domain, sandboxed scripts cannot access the contents of the page
>returned. You could do something like
>eval(xmlhttprequest.responsetext) for some fun remote procedure call..
>kinda ;)
>
>There is an issue of bandwidth. Perhaps someone doesn't want to
>automatically (and unknowingly) send/receive possibly many MB of data
>probably in the form of images or files. But I don't really think it's
>too big of a problem.
>
>  
>
I think bandwidth is an interesting concern, but I'm not sure disabling 
GM_xmlhttpRequest is the right way to go. I think some sort of 
user-rated field on (forthcoming) userscript.org would probabl be the 
best way to address this.

-Nikolas 'Atrus' Coukouma

-Nikolas 'Atrus' Coukouma


More information about the Greasemonkey mailing list