[Greasemonkey] GM_xmlhttpRequest and localhost

Lenny Domnitser ldrhcp at gmail.com
Tue Jul 19 18:40:31 EDT 2005


On 7/19/05, Anthony Lieuallen <arantius at gmail.com> wrote:
> I vote for blocking localhost and 127.*.*.* (don't remember that whole
> A class resolves to localhost) by default.

You may wish to protect other provate hosts that are not at 127.*.*.*
and are not the computer running GM (i.e. an intranet). Denying access
to a portion of private servers may break some scripts, but really
will not prevent malicious activity.

This really is more an issue of trusting the script writer (or reading
the code). Consider this parallel: would you argue to disable reading
keyboard input by GM scripts because a malicious script can log
keystrokes and "phone home"?


More information about the Greasemonkey mailing list