[Greasemonkey] GM 0.6.3 and new Image()
Aaron Boodman
zboogs at gmail.com
Thu Dec 1 09:15:03 EST 2005
> all good. Any reason for this?
Yes, Image is not a member of the IDL interfaces Window implements:
http://xulplanet.com/references/objref/Window.html
Because of this, it does not get reflected into XPCNativeWrapper and
Greasemonkey can't access it.
===
Warning, extremely mind-numbing technical jargon to follow... but if
you want to know what's really going on, here it is:
This is a security thing. Greasemonkey now only uses
XPCNativeWrappers. This is good because it means that content - the
webiste you're viewing - and your user script are completely isolated
from each other. You can't see their content's or functions (without
going through unsafeWindow) and more importantly, and content can't
see your variables or functions.
This is accomplished with XPCNativeWrapper. Say you have a JavaScript
object which is a wrapper around a C++ object which implements
IHTMLImage and IDOMNode. Through the magic of JavaScript, a content
script can change the meaning of appendChild (a member of IDOMNode) to
do something other than what the original C++ instance does. This is
the path to a bunch of attacks.
XPCNativeWrapper eliminates this by going through all the members of
all the interfaces a script object implements and creating a new
object which accesses the real, underlying C++ class directly and
cannot be changed by script. This means that XPCNativeWrappers always
call the methods you think they will.
Since Image() is not a member of any of the interfaces that Window
implements, it does not get found by XPCNativeWrapper and does not
show up for Greasemonkey.
So how does it exist for content scripts, you ask?
Image() is a special case (along with Option, XMLHttpRequest, etc) in
the HTML/JavaScript/DOM code path in Mozilla where global constructors
are simply tacked onto the global js namespace.
Some of these are getting fixed, slowly, but not until 1.6 or whatever.
Hope this helps, and once again, sorry about the interface changes. I
don't expect this set to ever shink any more, only grow.
- a
More information about the Greasemonkey
mailing list