[Greasemonkey] GM_xmlhttpRequest and localhost

Anthony Lieuallen arantius at gmail.com
Tue Jul 19 18:27:49 EDT 2005


My two cents:

Think of all the general user base spread across the world.  How many
of these people are running a web server on localhost?  Got to be well
well under 1%.  It's almost pointless to worry about.

But, given that the case where there is one, there's a much more
significant chance of some kind of security hole because the server
assumes requests from localhost are privileged, we should do
something.

I vote for blocking localhost and 127.*.*.* (don't remember that whole
A class resolves to localhost) by default.  If it's not too much
trouble, an about:config to turn it back on for the few people who are
(or know) developers perfectly capable of it anyways.


More information about the Greasemonkey mailing list