[Greasemonkey] Alternative script injection technique proof of concept

Bill Donnelly donnelly at snowcrest.net
Sat Jul 23 03:41:18 EDT 2005


I'm not sure if I understand what you're saying.

If someone redefines
  document.__proto__.getElementById
AND/or
  document.getElementById,
and you
  "delete document.getElementById",
then it will still NOT call the correct native value?

And, if this is true, then there MUST be some _minimum level_
of "scope chain" values that you can delete to ALWAYS achieve
the desired result. Right?

I would think that would be, in most cases (for 'base' methods, e.g.),
two levels:

the prototype value and the non-prototype value (or whatever
that level is called)

So, to be VERY sure, what you should do is:

delete window (not necessary, because window is not redefinable, right?)
delete window.document
delete window.document.getElementById
delete window.document.__proto__.getElementById (?)

Or, what am I missing and/or not understanding?


Aaron Boodman wrote:

 >>So, any time you REALLY want to make sure that someone hasn't
 >>redefined some function/method or property/field, just delete
 >>the reference to it and you are ensured that you will get the
 >>real, native value.
 >
 >
 >This is only true if the prop was redefined on the object you're
 >deleting it from. The problem is that it can be redefined anywhere in
 >the scope chain.
 >
 >gm: document.getElementById("foo")
 >content: document.getElementById = function(){}
 >gm: delete document.getElementById
 >content: document.__proto__.getElementById = function(){}
 >gm: delete document.__proto__.getElementById
 >content: document.__proto__ = new Object();
 >
 >ad infinium...
 >
 >The only way to be sure is to use XPCNativeWrapper. And even then, it
 >only works on XPCOM objects. Greasemonkey 0.4.1 (the next version)
 >will provide two XPCNativeWrapper starting points for user scripts:
 >one for window, and one for document.
 >
 >So with GM 0.4.1 + FF DPa2+, when you do document.getElementById, or
 >window.location.href, you know you're getting the native values.

-- 
Jack the Ripper may have been quite insane,
but he had beautiful penmanship.
btw -- Don't look back!
The lemmings are gaining on you.



More information about the Greasemonkey mailing list