[Greasemonkey] Greasemonkey 0.4.1 (The Next Generation)

Brendan Crosser-McGay verifex at gmail.com
Tue Jul 26 15:01:32 EDT 2005


Thank you :) I'm really happy you guys put in the time to make this secure, 
I'm sure many script authors out there, including me, are overjoyed by this 
new release! :)

 > Okay, I'm about to install it, but I had a question. You managed to close
> > all the security holes, yet you said user scripts are still not to be
> > considered secure from content. I'm not sure I understand.
> 
> The term "secure" is getting overloaded.
> 
> There is "secure" as in "my files aren't going to get read by some
> randome website" and "some random website isn't going to be able to
> use GM_xmlhttpRequest to read other websites' cookies".
> 
> Those things are no longer possible in GM-TNG.
> 
> What I meant by not considering user script source secure was that the
> source code of user scripts can be read by content. So you should not
> put passwords in them.
> 
> > or they should not be considered secure because
> > content can finnagle its way into just the right place to start 
> hijacking
> > userscripts using standard DOM functions.
> 
> This is true, but the most a hostile content script could do is:
> 
> * prevent your user script from running
> * steal your user script's source code
> 
> There are precious few cases, even with GM 0.3.x of content providers
> actively trying to block GM. It's even harder now. So I really don't
> think that's going to happen much.
> 
> And unless you are using the steal-from-my-bank.user.js or
> all-my-secret-passwords.user.js script, it's not going to matter to
> you that much that content could read your user scripts.
> 
> HTH
> 
> - a
> _______________________________________________
> Greasemonkey mailing list
> Greasemonkey at mozdev.org
> http://mozdev.org/mailman/listinfo/greasemonkey
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mozdev.org/pipermail/greasemonkey/attachments/20050726/cf9863e5/attachment.htm


More information about the Greasemonkey mailing list