[Greasemonkey] Alternative script injection technique proof of concept

Aaron Boodman zboogs at gmail.com
Tue Jul 19 08:17:54 EDT 2005


On 7/19/05, John Plsek <gm at plsek.id.au> wrote:
> You can have an optionally neutered mode - that allows end users to
> decide if the scripts (on a per script basis) get run in neutered or
> exposed mode ... I'm doing it now!! I've made a dochandler.js that has
> the sandbox code for 1.1, neutered form of 0.4, standard form of 0.4,
> and my eval method - the last just for kicks ;-)
> 
> Sorry, I know I seem to be pushing the options route, but I use cross
> domain GM_xmlHttpRequest in most of my scripts, and GM_get/set in some
> ... in fact, only one out of my 6 scripts doesn't use any GM_* function.
> 
> It's a matter of trust, I guess. I trust, for instance,
> search.ebay.com.au will never have any malicious code ... and since I
> only include the script for http://search.ebay.com.au/* there's no way
> that script can expose me to risk ... so I let my script run as it did
> before,

That makes sense. It's a good temporary solution for you. I'd like to
try to make the actual distro a little more robust, but that is a good
option for people to have in the meantime.

- a


More information about the Greasemonkey mailing list