[Greasemonkey] say horray for evalInSandbox()

Aaron Boodman zboogs at gmail.com
Tue Jul 19 09:19:26 EDT 2005


> While I strongly applaud your efforts in the suddenly-come-to-light
> security issues, I hope this isn't the final solution =)  I absolutely
> love greasemonkey, I have written quite a range of scripts for it, and
> I currently have 11 include * scripts, and a few site specifics.  It
> simply won't work to have a half second delay added on every page.

Heck no. All of that startup cost appears to be initializing a new
javascript engine. I don't really need to do that. With some
wrangling, I should be able to reuse one engine over and over. If I
can't get the speed down, I won't implement it this way. As you said,
it's not acceptable.

> As an aside, if I read the other long thread correctly there's only
> two actual issues to consider:
> 
> - Leaking API calls (and through them local files)
> - Leaking script source
> 
> I don't care much about the latter, and the first only for the files.

I feel the same way for most cases. That's why I didn't do more about
script source leakage before. I think there are some things an
attacker could do if he had GM_xmlhttpRequest --- he could log into
gmail for you and act on your behalf, for instance (presuming you had
the "remember me" option set).

But you're right, this is significantly less of a big deal. I guess a
last ditch fallback would be to just fix the access to file system.

> I only use 1 script that makes any API calls (and just menu commands)
> that I can live without rather easily.   So I'm safe with the neutered
> 0.3.5 posted correct?

Yes!

- a


More information about the Greasemonkey mailing list