[Greasemonkey] Quick fix?

Mark Pilgrim pilgrim at gmail.com
Tue Jul 26 14:55:02 EDT 2005


On 7/26/05, comex <comexk at gmail.com> wrote:
> So, especially given the relative unpopularity of Firefox/GM, this
> line makes my version of Greasemonkey (0.3.4) fairly secure as far as
> I can tell.
> 
> if(!details.url.match(/^(https?|ftp):/)) return;
> 
> I don't see why something like that isn't the recommended version to run.

I'm not sure where you expect to put that to get it to execute.  The
API leak in GM 0.3.4 leaks the actual function call; the remote page
can then set up their own onload callback and your code would never
execute.

If you don't believe me, test your theory on this page:
http://diveintogreasemonkey.org/experiments/localfile-leak.html

-- 
Cheers,
-Mark


More information about the Greasemonkey mailing list