[Greasemonkey] greasemonkey for secure data over insecure networks / sites

Aaron Boodman zboogs at gmail.com
Mon Jul 18 22:34:59 EDT 2005


Thinking more about this.

One way that GM_xmlhttpRequest could get into content is that user
scripts could put it there:

window.req = GM_xmlhttpRequest;

User scripts should not do this. Another way they could do it without
realizing it is like this:

whoops(GM_xmlhttpRequest);

function whoops(xr) {
  document.getElementById(); [or any other function in content]
}

The content function could crawl back up the stack and find the GM_*
reference. Again, scripts should not do this.

I am personally ok with this risk - a user script could be constructed
which purposely or accidentally leaks GM_* to content - combined with
the fact that GM_xmlhttpRequest will not be able to request file://
urls. I realize it's patchwork, but it seems like a reasonable
tradeoff to me. And it's not worse that GM was supposedly before.

Arguments welcome though.


More information about the Greasemonkey mailing list