[Greasemonkey] greasemonkey for secure data over insecure networks / sites

Godmar Back godmar at gmail.com
Mon Jul 18 23:49:48 EDT 2005


On 7/18/05, Godmar Back <godmar at gmail.com> wrote:
> This approach would only work if it is possible to identify that the
> call chain does not include script code not inserted by GM.  You
> could, for instance wrap the insert code like so:
> function f() {
>  the user's script goes here
> }
> f();
> and then ensure that "f" is in the call path before granting GM_
> privileges.  Make sure that you don't use 'f', but an impossible to
> guess dynamically created name.
> 

One second thought, I don't think this is possible without using
complete stack inspection. For instance, a script might associate code
with event handlers. This code is then invoked later from a different
context; it could conceivably high-jacked as well.

I'm not sure how JavaScript implements closures, but if a closure
contains a reference to the enclosing funciton in which is was
created, you could check that closure for the magic function name
before allowing the call to the GM_ function.

 - Godmar


More information about the Greasemonkey mailing list