[Greasemonkey] GM_xmlhttpRequest and localhost

Godmar Back godmar at gmail.com
Wed Jul 20 01:43:08 EDT 2005


On 7/19/05, Lenny Domnitser <ldrhcp at gmail.com> wrote:
> This really is more an issue of trusting the script writer (or reading
> the code). Consider this parallel: would you argue to disable reading
> keyboard input by GM scripts because a malicious script can log
> keystrokes and "phone home"?

As Aaron pointed out, even without xmlhttprequest, scripts have
numerous options to phone home.

GM should make clear to a user that when they install a script, they
trust the author of the script with all content that appears on the
pages for which the script is active, and with all keystrokes they
sent to these pages (and I haven't even looked into what kind of input
capturing might accessible to them.)

If you install a global script, you trust the script author not to
collect and abuse your bank account information or any password you
type on any website.  How many of you were immediately aware of this
fact when you installed your first GM scripts?  I for one wasn't.

This relates to the earlier issue of whether GM should silently pass
on privileges that it only obtained when the user went through the
intentionally tedious installation process to script authors that do
not require the same confirmation from the user.

 - Godmar


More information about the Greasemonkey mailing list