[Greasemonkey] greasemonkey for secure data over insecure networks
lists at atrus.org
Tue Jul 19 00:53:30 EDT 2005
Nikolas Coukouma wrote:
>Godmar Back wrote:
>>On a related note, the fact that xmlhttprequest doesn't exclude local
>>file:// URL means that not only would placing this ability into a page
>>allow a malicious attacker to read local files, but it also allows the
>>GM script itself to read all local files. This is still true for the
>>sandbox approach Aaron is currently investigating, if the sandbox
>>include chrome-privileged access to xmlhttprequest.
>>How many people want to grant GM script writers access to their local
>>harddrive when they install a GM script?
>>My point is that scripts should be required to declare what privileges
>>they need, and this must be enforced - either using Mozilla's security
>>model or by implementing your own.
>The good news is that we're wrapping the object, so we can check to see
>if it uses the file: scheme. Applying a whitelist seems like the obvious
>approach (allow only http, https, ftp). That would prevent nastiness
>file - your hard drive
>chrome - everything in FF, including other scripts and extensions
>about - about:config, about:cache, others?
Er, I should comment that I'm not even sure this is a problem, per se.
There are perfectly good reasons for wanting access to chrome URLs (e.g.
including other scripts). It's all a matter of trust. We seem to
generally agree that user scripts shouldn't be able to modify files on
your computer or use arbitrary Mozilla/Firefox APIs, but that's about it.
More information about the Greasemonkey