[Greasemonkey] GM_xmlhttpRequest and localhost

Jason Diamond jason at injektilo.org
Tue Jul 19 14:07:15 EDT 2005


Aaron Boodman wrote:

>  I can see doing something with configuration, but it is also seems
>  non-trivial to figure out what resolves to localhost and/or other
>  internal servers. And accessing internal servers is a very real use
>  case.

I hope nobody expects GM to do this. If a user goes through the trouble 
of putting an entry in their hosts file mapping google.com to an 
internal host, why would anybody expect GM to be smart enough to figure 
that out?

>  I think that the best solution is configuration (about:config) which
>  specifies what servers can be contacted. But I think this can wait
>  until a later release. People who don't want GM scripts contacting
>  internal sites can just not use GM *and* are not in control of what
>  scripts they install can just not use GM.
 >
>  Put another way, I dont think it's Greasemonkey's responsibility to
>  disallow access to the internal network. It seems like a cool
>  feature, I agree, but not a requirement.

OK, I think I agree with what you're saying. Disallowing access to 
*just* the internal network doesn't make sense as far as GM is concerned.

However, I think it should be GM's responsibility to disallow access to 
the *entire* network--not just the internal network.

I'd like to be able to install a user script and not have to examine the 
entire thing (especially John's 93K monster) to make sure it's not 
sending anything I don't want it to to sites I don't know or trust. 
That's why I like the idea of explicitly specifying what URLs each 
script can access with GM_xmlhttpRequest. I can look at the headers for 
a script and immediately determine who it might be contacting and can 
make a quick decision as to whether I'm OK with that or not.

If we treat these headers like the @include and @exclude headers where 
we can specify patterns, we can even allow access to local files. But 
only the local files I, the user in charge, am giving the script 
permission to access.

-- 
Jason



More information about the Greasemonkey mailing list