[Greasemonkey] greasemonkey for secure data over insecure networks / sites

Godmar Back godmar at gmail.com
Tue Jul 19 02:24:16 EDT 2005


I see - so you're providing a new "global object" for user script code
that is different from the content's global object - this means you no
longer have to attach privileged objects to the content's global
object.

This gives you essentially namespace-based (or call it scope-based)
protection, leaving you with the issue of GM scripts that willfully
leak names - and as such privileges - to untrusted pages - but the
truely accidental exposure as of now is no longer possible.

 - Godmar

On 7/19/05, Aaron Boodman <zboogs at gmail.com> wrote:
> No,
> 
> User scripts always have access to GM_xmlhttpRequest - no matter when
> they execute - because they are in their global scope.
> 
> Content does not have access to GM_xmlhttpRequest because
> GM_xmlhttpRequeset is not on content's global scope.
> 
> Maybe you're confusing scope and security context. The global scope of
> content is the window object -- that's why content can call alert( )
> instead of window.alert( ) and it works.
> 
> The global scope for our user scripts will be a new object who's
> prototype is the content window. But that object will also have some
> new properties, GM_xmlhttpRequest is one of them. But that new object
> is not in content's scope chain at all.
> 
> 
> --
> Aaron
> _______________________________________________
> Greasemonkey mailing list
> Greasemonkey at mozdev.org
> http://mozdev.org/mailman/listinfo/greasemonkey
>


More information about the Greasemonkey mailing list