[Greasemonkey] Local file system access

Mark Pilgrim pilgrim at gmail.com
Tue Jul 26 14:57:31 EDT 2005


On 7/26/05, Lenny Domnitser <ldrhcp at gmail.com> wrote:
> On 7/26/05, Dan Phiffer <dan at phiffer.org> wrote:
> > I have a question: would it be hard to engineer some way for
> > Greasemonkey to allow a user to selectively grant user scripts access
> > to their local file system?
> 
> GM_xmlhttpRequest (currently disabled) has access to the local file
> system through the file: URI scheme. This is not the security risk
> discussed, but just something that contributes to it. The actual
> concern was not that user scripts could use GM_xmlhttpRequest on local
> files, but that scripts on a webpage could "steal" GM_xmlhttpRequest
> and use it to access local files with their own malicious code, not
> the code of installed user scripts.

What Lenny said.  The upcoming (fully fixed) GM will allow
GM_xmlhttpRequest but disallow any file:// URLs (so even installed
user scripts will not have any access to the local file system).

Plus, what Dan is proposing strikes me as a really bad idea.  If you
want local file access, write an extension.

-- 
Cheers,
-Mark


More information about the Greasemonkey mailing list