[Greasemonkey] Greasemonkey 0.4.1 (The Next Generation)

Brendan Crosser-McGay verifex at gmail.com
Tue Jul 26 14:11:22 EDT 2005


Okay, I'm about to install it, but I had a question. You managed to close 
all the security holes, yet you said user scripts are still not to be 
considered secure from content. I'm not sure I understand. Do you mean user 
scripts should not be considered secure, just in general (as I perfectly 
understand), or they should not be considered secure because content can 
finnagle its way into just the right place to start hijacking userscripts 
using standard DOM functions.

I guess without actually writing a script to do this I shouldn't really say 
anything, but I'm not sure I trust my ability to debug something like this 
yet. If I were to write a function that sends data via the GML_httpxml 
request, invariably I'm going to be inserting some element of the current 
page into that request (ala the Burro script). Is it possible that a 
GM-aware-and-hostile-content-side script could manage to put a hook into all 
DOM functions that lets it inject whatever it wants into any GM functions, 
as long as the GM userscript uses some DOM function to gather that data.

-Brendan

On 7/26/05, chris feldmann <cfeldmann at gmail.com> wrote:
> 
> Thanks for the hard work. I've been having to use the regular old internet 
> for days now!
> 
> On 7/26/05, Aaron Boodman < zboogs at gmail.com> wrote:
> > 
> > > Instead of calling window.location's setter, line 4 creates a local 
> > > variable, like justSomeVariable.
> > 
> > I see. It seems like with (window) at the top level would fix this.
> > I'll give it a try.
> > _______________________________________________
> > Greasemonkey mailing list
> > Greasemonkey at mozdev.org
> > http://mozdev.org/mailman/listinfo/greasemonkey
> > 
> 
> 
> _______________________________________________
> Greasemonkey mailing list
> Greasemonkey at mozdev.org
> http://mozdev.org/mailman/listinfo/greasemonkey
> 
> 
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mozdev.org/pipermail/greasemonkey/attachments/20050726/8f32c347/attachment-0001.htm


More information about the Greasemonkey mailing list