[Greasemonkey] GM_xmlhttpRequest and localhost

Edward Lee edilee at gmail.com
Tue Jul 19 13:17:10 EDT 2005


On 7/19/05, Mark Pilgrim <pilgrim at gmail.com> wrote:
> Even better, don't provide a GUI option for it, just put it in
> about:config (no access by default) and publish documentation on how
> script developers can change it.  I can't see any legitimate need to
> bother end users with this.

Sounds good.

On a side note, good secure design can't really help much with bad
scripts. Someone could for a seemingly good reason (I don't know what
:p) do something like window.publicFunction = GM_xmlhttprequest. Yes,
it would be quite unlikely for it to be exploited because that script
would have to be run on a site that knows of that exploit. I don't
find it to be too big of an issue because I can look through scripts
to see what they do, but the possibility is there.

-- 
Ed


More information about the Greasemonkey mailing list