[Greasemonkey] Greasemonkey 0.4.1 (The Next Generation)
verifex at gmail.com
Tue Jul 26 14:11:22 EDT 2005
Okay, I'm about to install it, but I had a question. You managed to close
all the security holes, yet you said user scripts are still not to be
considered secure from content. I'm not sure I understand. Do you mean user
scripts should not be considered secure, just in general (as I perfectly
understand), or they should not be considered secure because content can
finnagle its way into just the right place to start hijacking userscripts
using standard DOM functions.
I guess without actually writing a script to do this I shouldn't really say
anything, but I'm not sure I trust my ability to debug something like this
yet. If I were to write a function that sends data via the GML_httpxml
request, invariably I'm going to be inserting some element of the current
page into that request (ala the Burro script). Is it possible that a
GM-aware-and-hostile-content-side script could manage to put a hook into all
DOM functions that lets it inject whatever it wants into any GM functions,
as long as the GM userscript uses some DOM function to gather that data.
On 7/26/05, chris feldmann <cfeldmann at gmail.com> wrote:
> Thanks for the hard work. I've been having to use the regular old internet
> for days now!
> On 7/26/05, Aaron Boodman < zboogs at gmail.com> wrote:
> > > Instead of calling window.location's setter, line 4 creates a local
> > > variable, like justSomeVariable.
> > I see. It seems like with (window) at the top level would fix this.
> > I'll give it a try.
> > _______________________________________________
> > Greasemonkey mailing list
> > Greasemonkey at mozdev.org
> > http://mozdev.org/mailman/listinfo/greasemonkey
> Greasemonkey mailing list
> Greasemonkey at mozdev.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Greasemonkey