[Greasemonkey] GM_xmlhttpRequest-induced Firefox crash

Fredrik Matheson fredrik.matheson at gmail.com
Wed Apr 27 16:23:13 EDT 2005


On 4/26/05, Nikolas Coukouma <lists at atrus.org> wrote:
> Edward Lee wrote:
> 
> >On 4/25/05, Tony Chang <tony at ponderer.org> wrote:
> >
> >
> >>Disabling GM_xmlhttpRequest doesn't increase security.
> >>
> >>
> >
> >Not entirely true. Hidden images, iframes do allow sending data out
> >from the current page, but (GM_)xmlhttprequests allow data to be
> >received and analyzed. Unless you're opening an iframe to the same
> >domain, sandboxed scripts cannot access the contents of the page
> >returned. You could do something like
> >eval(xmlhttprequest.responsetext) for some fun remote procedure call..
> >kinda ;)
> >
> >There is an issue of bandwidth. Perhaps someone doesn't want to
> >automatically (and unknowingly) send/receive possibly many MB of data
> >probably in the form of images or files. But I don't really think it's
> >too big of a problem.
> >
> >
> >
> I think bandwidth is an interesting concern, but I'm not sure disabling
> GM_xmlhttpRequest is the right way to go. I think some sort of
> user-rated field on (forthcoming) userscript.org would probabl be the
> best way to address this.
> 
> -Nikolas 'Atrus' Coukouma
> 
> -Nikolas 'Atrus' Coukouma
> _______________________________________________
> Greasemonkey mailing list
> Greasemonkey at mozdev.org
> http://mozdev.org/mailman/listinfo/greasemonkey
>


More information about the Greasemonkey mailing list