[Greasemonkey] GM_xmlhttpRequest and localhost
jason at injektilo.org
Tue Jul 19 14:07:15 EDT 2005
Aaron Boodman wrote:
> I can see doing something with configuration, but it is also seems
> non-trivial to figure out what resolves to localhost and/or other
> internal servers. And accessing internal servers is a very real use
I hope nobody expects GM to do this. If a user goes through the trouble
of putting an entry in their hosts file mapping google.com to an
internal host, why would anybody expect GM to be smart enough to figure
> I think that the best solution is configuration (about:config) which
> specifies what servers can be contacted. But I think this can wait
> until a later release. People who don't want GM scripts contacting
> internal sites can just not use GM *and* are not in control of what
> scripts they install can just not use GM.
> Put another way, I dont think it's Greasemonkey's responsibility to
> disallow access to the internal network. It seems like a cool
> feature, I agree, but not a requirement.
OK, I think I agree with what you're saying. Disallowing access to
*just* the internal network doesn't make sense as far as GM is concerned.
However, I think it should be GM's responsibility to disallow access to
the *entire* network--not just the internal network.
I'd like to be able to install a user script and not have to examine the
entire thing (especially John's 93K monster) to make sure it's not
sending anything I don't want it to to sites I don't know or trust.
That's why I like the idea of explicitly specifying what URLs each
script can access with GM_xmlhttpRequest. I can look at the headers for
a script and immediately determine who it might be contacting and can
make a quick decision as to whether I'm OK with that or not.
If we treat these headers like the @include and @exclude headers where
we can specify patterns, we can even allow access to local files. But
only the local files I, the user in charge, am giving the script
permission to access.
More information about the Greasemonkey