[Greasemonkey] GM_xmlhttpRequest and localhost

Aaron Boodman zboogs at gmail.com
Tue Jul 19 11:51:39 EDT 2005

> I believe the security issue is that *other* people would also
> possibly have access to your localhost which you might have intended
> to only be for yourself. If someone finds another way to take over
> GM_xmlhttprequest, they could put it on some public website and access
> your private localhost pages.
> I have pages running on localhost, but they're also accessible by my
> IP. Others have localhost set up only to let that computer access. A
> hijacked greaesmonkey would act like the user accessing from the local
> computer, but the control is actually from outside.

I don't mean to sound cavilier but this is an acceptable risk to me.
In order to be exploited, GM_xmlhttpRequest would have to be leaked to
content again, which we will try very hard to avoid!

Perhaps a future release could have settings for like Jeremy was
suggesting, or a way to disable it for the paranoid.


More information about the Greasemonkey mailing list