[Greasemonkey] say horray for evalInSandbox()
zboogs at gmail.com
Tue Jul 19 09:19:26 EDT 2005
> While I strongly applaud your efforts in the suddenly-come-to-light
> security issues, I hope this isn't the final solution =) I absolutely
> love greasemonkey, I have written quite a range of scripts for it, and
> I currently have 11 include * scripts, and a few site specifics. It
> simply won't work to have a half second delay added on every page.
Heck no. All of that startup cost appears to be initializing a new
wrangling, I should be able to reuse one engine over and over. If I
can't get the speed down, I won't implement it this way. As you said,
it's not acceptable.
> As an aside, if I read the other long thread correctly there's only
> two actual issues to consider:
> - Leaking API calls (and through them local files)
> - Leaking script source
> I don't care much about the latter, and the first only for the files.
I feel the same way for most cases. That's why I didn't do more about
script source leakage before. I think there are some things an
attacker could do if he had GM_xmlhttpRequest --- he could log into
gmail for you and act on your behalf, for instance (presuming you had
the "remember me" option set).
But you're right, this is significantly less of a big deal. I guess a
last ditch fallback would be to just fix the access to file system.
> I only use 1 script that makes any API calls (and just menu commands)
> that I can live without rather easily. So I'm safe with the neutered
> 0.3.5 posted correct?
More information about the Greasemonkey