[Greasemonkey] GM_xmlhttpRequest and localhost

Jason Diamond jason at injektilo.org
Tue Jul 19 13:21:32 EDT 2005


Mark Pilgrim wrote:

>  On 7/19/05, Jun Yang <jyang825 at gmail.com> wrote:
>
> > I think the access to http://localhost is important for many
> > wonderful possibilities. However, security concerns are also real.
> > Can we plese do this? Some configuration is provided for user to
> > allow only GM scripts from certainly sites to access
> > http://localhost?
>
>  Please disable all access by default, then provide options to allow
>  access to localhost (and 127.0.0.1!). Such access is only useful for
>  script developers, who can enable it if they need it.
>
>  Even better, don't provide a GUI option for it, just put it in
>  about:config (no access by default) and publish documentation on how
>  script developers can change it. I can't see any legitimate need to
>  bother end users with this.

I like disabling everything by default. But why not make it a per-script
option like the @include and @exclude headers?

// ==UserScript==
// ...
// @allow-requests-to localhost
// ==/UserScript==

This makes it explicit what a user script might be contacting on a
script-by-script basis. You won't have to look through the source for
the script to see if it's contacting anybody you don't want it to.

A "@forbid-requests-to" header probably wouldn't be necessary since
everything would be (should be) forbidden by default. Unless, of course,
you wanted to do something like this:

// ==UserScript==
// ...
// @forbid-request-to *.goatse.cx
// @allow-requests-to *
// ==/UserScript==

Assuming GM is fixed so that websites can't access the GM_* functions,
why not allow scripts the use of the file scheme (as long as it's
explicitly allowed)?

// ==UserScript==
// ...
// @allow-requests-to file:///home/jason/stuff/*
// ==/UserScript==

I can imagine this being very useful for scripts that want access to
some configuration or metadata but don't want to "hard code" that
information in the script itself.

-- 
Jason


More information about the Greasemonkey mailing list