[Greasemonkey] GM_xmlhttpRequest and localhost

Godmar Back godmar at gmail.com
Tue Jul 19 10:33:27 EDT 2005


My thinking was that there are default installations of various
servers out there that would grant special privileges to clients
connecting from the same machine.

For instance, they might grant access to an admin console; or they
might export the entire local filesystem via http to clients
connecting from the same machine.

I know I have set up things like that for debugging - Nic points out
further down in this thread that he does that too.  CUPS (a printer
configuration system) is another example of an http-based system that
gives special privileges to clients connecting from localhost when set
up that way. I'm sure other people know other examples, especially
considering the rapid adoption of such technologies as SOAP over http.

By localhost I do not mean only localhost 127.0.0.1 via loopback, I
mean any IP address that gets back to the same machine. Taking this a
step further, one needs to worry about access to an intranet from
behind a firewall.

Maybe it could be an option a user has to explicitly enable (a
checkbox in your "install script" box that says "grant access to
intranet/localhost"?)

 - Godmar

On 7/19/05, Aaron Boodman <zboogs at gmail.com> wrote:
> On a previous thread, it was pointed out that if GM_xmlhttpRequest is
> not going to allow access to file:// then it should not allow access
> to http://localhost either.
> 
> I'm not sure I agree. Lots of useful Greasemonkey scripts could be
> written that access the private network, including localhost. Can
> somebody expand more on why this is a concern?
> 
> --
> Aaron
> _______________________________________________
> Greasemonkey mailing list
> Greasemonkey at mozdev.org
> http://mozdev.org/mailman/listinfo/greasemonkey
>


More information about the Greasemonkey mailing list