[Greasemonkey] GM_xmlhttpRequest and localhost
jason at injektilo.org
Tue Jul 19 13:21:32 EDT 2005
Mark Pilgrim wrote:
> On 7/19/05, Jun Yang <jyang825 at gmail.com> wrote:
> > I think the access to http://localhost is important for many
> > wonderful possibilities. However, security concerns are also real.
> > Can we plese do this? Some configuration is provided for user to
> > allow only GM scripts from certainly sites to access
> > http://localhost?
> Please disable all access by default, then provide options to allow
> access to localhost (and 127.0.0.1!). Such access is only useful for
> script developers, who can enable it if they need it.
> Even better, don't provide a GUI option for it, just put it in
> about:config (no access by default) and publish documentation on how
> script developers can change it. I can't see any legitimate need to
> bother end users with this.
I like disabling everything by default. But why not make it a per-script
option like the @include and @exclude headers?
// @allow-requests-to localhost
This makes it explicit what a user script might be contacting on a
script-by-script basis. You won't have to look through the source for
the script to see if it's contacting anybody you don't want it to.
A "@forbid-requests-to" header probably wouldn't be necessary since
everything would be (should be) forbidden by default. Unless, of course,
you wanted to do something like this:
// @forbid-request-to *.goatse.cx
// @allow-requests-to *
Assuming GM is fixed so that websites can't access the GM_* functions,
why not allow scripts the use of the file scheme (as long as it's
// @allow-requests-to file:///home/jason/stuff/*
I can imagine this being very useful for scripts that want access to
some configuration or metadata but don't want to "hard code" that
information in the script itself.
More information about the Greasemonkey