[Greasemonkey] greasemonkey for secure data over insecure networks / sites

Jeremy Dunck jdunck at gmail.com
Mon Jul 18 23:54:37 EDT 2005

On 7/18/05, Nikolas Coukouma <lists at atrus.org> wrote:
> The good news is that we're wrapping the object, so we can check to see
> if it uses the file: scheme. Applying a whitelist seems like the obvious
> approach (allow only http, https, ftp). That would prevent nastiness
> like grabbing
> file - your hard drive
> chrome - everything in FF, including other scripts and extensions
> about - about:config, about:cache, others?

GM_xmlhttpRequest being able to access file:// isn't the critical
problem here, as far as I'm concerned.  The problem is that arbitrary
sites can catch a leaking script injection, which allows arbitrary
sites to access the local files using GM_xmlhttpRequest.

Which is to say-- installation of a user script indicates some level
of trust-- visiting a site, obviously, does not.

If folks feel that in general, we shouldn't allow file://, well, OK,
but let's not confuse the issue.

More information about the Greasemonkey mailing list