[Greasemonkey] Greasemonkey 0.4.1 (The Next Generation)

Aaron Boodman zboogs at gmail.com
Tue Jul 26 14:52:30 EDT 2005


> Okay, I'm about to install it, but I had a question.  You managed to close
> all the security holes, yet you said user scripts are still not to be
> considered secure from content.  I'm not sure I understand.  

The term "secure" is getting overloaded.

There is "secure" as in "my files aren't going to get read by some
randome website" and "some random website isn't going to be able to
use GM_xmlhttpRequest to read other websites' cookies".

Those things are no longer possible in GM-TNG.

What I meant by not considering user script source secure was that the
source code of user scripts can be read by content. So you should not
put passwords in them.

> or they should not be considered secure because
> content can finnagle its way into just the right place to start hijacking
> userscripts using standard DOM functions.

This is true, but the most a hostile content script could do is: 

* prevent your user script from running
* steal your user script's source code

There are precious few cases, even with GM 0.3.x of content providers
actively trying to block GM. It's even harder now. So I really don't
think that's going to happen much.

And unless you are using the steal-from-my-bank.user.js or
all-my-secret-passwords.user.js script, it's not going to matter to
you that much that content could read your user scripts.

HTH

- a


More information about the Greasemonkey mailing list