[Greasemonkey] Script leakage
ted.mielczarek at gmail.com
Wed Jul 13 16:01:58 EDT 2005
On 7/13/05, Aaron Boodman <zboogs at gmail.com> wrote:
> > var ce = Components.lookupMethod(document, createElement")
> > This works in chrome, but won't work in untrusted JS pre-Firefox 1.1.
> > Also you can use XPCNativeWrapper(), see
> > http://kb.mozillazine.org/XPCNativeWrapper
> Will the node that is created/appended *also* be invisible to content?
> I thought this was just to make sure you don't get a method you think
> is createElement, but is actually a hacker's method.
No, I meant to add a note about that, sorry. The only way I could
think to do that would be using XBL, which is probably out of the
scope of GM.
> > > element, but remaining in the content's security context
> > You want mozIJSSubScriptLoader:
> > http://www.xulplanet.com/references/xpcomref/ifaces/mozIJSSubScriptLoader.html
> > See also http://weblogs.mozillazine.org/weirdal/archives/008101.html
> I've played with it, but I couldn't figure out how to run it in a
> security context less than chrome. Other than that, it is ideal. Do
> you know how?
Hm, after playing with it for a bit you're right. I'm not sure
there's any way to do that.
More information about the Greasemonkey