[Greasemonkey] GM-TNG unsafeWindow gripes

Aaron Boodman zboogs at gmail.com
Wed Jul 27 12:43:41 EDT 2005


On 7/27/05, Lenny Domnitser <ldrhcp at gmail.com> wrote:
> First, for consistency and to avoid confusion, if something is
> GM-specific, it should start with "GM_". Also, it is not inherently
> *unsafe* to use the content window. Perhaps unsafeWindow should be
> called GM_contentWindow.

Agree. I will make these changes. You have to view the naming through
the lens of the security mania of last week.

> Although, of course, it would be even better to preserve compatibility
> with old scripts by just naming unsafeWindow window, and making the
> default scope something like "GM_window", which would be what is
> called window in GM-TNG.

Wow, I think that would be really wierd. So |window| would refer to
the content window but no qualifier would refer to the XPCified
window? And if you just create a variable it goes on the sandbox? My
head is spinning.

Ideally, what I would like to move toward is not having the content
window anywhere in the scope chain at all. You have to specifically
ask for it with |window| or |document| or |contentWindow| or whatever.
The default scope will be a sandbox that just has the GM APIs in it.

That is what I initially tried to release for 0.4.x before people
expressed that they really really wanted FF 1.0.x support.
Unfortunately removing the content window completely from the scope
chain is either impossible or really difficult and really slow in
1.0.x so that will have to wait for Deer Park to release.

So how about this as a stop gap?

Global scope: content window
window: xpc (safe) window in deer park, regular window in 1.0.x
document: xpc (safe) document in deer park, regular doc in 1.0.x
contentWindow: regular (unsafe) window in all versions

-- 
Aaron


More information about the Greasemonkey mailing list