[Greasemonkey] Alternative script injection technique proof of concept

Aaron Boodman zboogs at gmail.com
Sat Jul 23 03:17:16 EDT 2005


> So, any time you REALLY want to make sure that someone hasn't
> redefined some function/method or property/field, just delete
> the reference to it and you are ensured that you will get the
> real, native value.

This is only true if the prop was redefined on the object you're
deleting it from. The problem is that it can be redefined anywhere in
the scope chain.

gm: document.getElementById("foo")
content: document.getElementById = function(){}
gm: delete document.getElementById
content: document.__proto__.getElementById = function(){}
gm: delete document.__proto__.getElementById
content: document.__proto__ = new Object();

ad infinium...

The only way to be sure is to use XPCNativeWrapper. And even then, it
only works on XPCOM objects. Greasemonkey 0.4.1 (the next version)
will provide two XPCNativeWrapper starting points for user scripts:
one for window, and one for document.

So with GM 0.4.1 + FF DPa2+, when you do document.getElementById, or
window.location.href, you know you're getting the native values.

-- 
Aaron


More information about the Greasemonkey mailing list