[Greasemonkey] Security Concern & Help Request

Aaron Boodman zboogs at gmail.com
Wed Dec 7 11:56:24 EST 2005 

There has been code hanging around for awhile to implement libraries
in Greasemonkey and I had hoped to do this for the next version. The
approach is really slick and could easily be extensible. theres a wiki
page about it:

http://www.freegarethandrew.org/mediawiki/index.php?title=GreasemonkeyImports#Code

Maybe you'd like to try and patch it into GM 0.6?

If you do this, I'm pretty much ready to release GM 0.6.5, I was just
trying to give people a little time to catch their breath.

GM 0.6.5 already has:

* improvovements to upgrade path to make it less breaky
* GM_executeContentScript - a safe way to execute content script based
on Jesse Ruderman's location.href = javascript: idea.

If you add library support, then I will add MochiKit as a default
library and this list will grow to:

* platypus support
* mochikit support

I will also probably add:

* Pablo's recent locale fix
* Michael Kraft's recent fix for the context menu not showing scripts in frames


That would be a really nice release.

- a

On 12/7/05, Scott Turner <srt19170 at gmail.com> wrote:
> My previous request got no response, but I'm going to try again and hope
> someone takes pity on me.
>
> I've got a fixed version of Platypus that sends a reference to a Platypus
> function into Greasemonkey by hanging it on unsafeWindow.  This is something
> of a "security" hole, because a web page could conceivably hijack the
> function definition and replace it with one of its own.  I say "security"
> hole because regardless of the hijacking, the function is going to be
> executed as part of a GM script and so I don't think could do anything
> particularly nasty.
>
> Nonetheless, I'd rather there was a safer method for passing a function from
> the Platypus extension to the GM extension, but I can't think of one.
> (Strictly speaking, I could eliminate the need for the function at all by
> simply including all the function's code into the GM script Platypus
> generates.  That would be ugly and inefficient, but if there's no better
> solution I may surrender.)  Is there some better method I'm missing?
>
> Any help greatly appreciated...
>
> -- Scott
> _______________________________________________
> Greasemonkey mailing list
> Greasemonkey at mozdev.org
> http://mozdev.org/mailman/listinfo/greasemonkey
>

More information about the Greasemonkey mailing list