[Greasemonkey] Re: Security Concern & Help Request (Scott Turner)

Aaron Boodman zboogs at gmail.com
Wed Dec 7 17:59:33 EST 2005 

On 12/7/05, Scott Turner <srt19170 at gmail.com> wrote:
> Looking at this I'm a little concerned by how this works... It does an
> import of a text file from a URL.  Where would the Platypus library (for
> instance), live?  I don't see how that can work very well... I suppose a
> file:url that was installed when Platypus was installed?  Is that what
> you're thinking?

I was thinking that you'd create your own folder when Platypus is
installed and add yourself to whichever register Greasemonkey looks in
to find libraries. You'd basically emulate what happens when a lib is
downloaded.

> What kind of overhead is incurred by reading a file and
> eval()ing it?  Would it noticeably slow down the web page?

The same kind that running each Greasemonkey script incurrs ;-) If it
ever gets to  be a problem, they could of course be cached in memory
-- that's an implementation detail. So far, it hasn't even been
noticeable.

So I don't remember precisely how this is setup, but how I could
imagine it working:

/greasemonkey
  /components/
  /chrome/...
  /libs/
    /http://mochikit.com/v1.1/
      /mochikit.js
    /http://mochikit.com/v1.2/
      /mochikit.js
    /http://platypus.mozdev.org/
      /platypus.js

Then in the header of the script:

@import http://platypus.mozdev.org/platypus.js

One difference here is that I think the existing implementation
relates all libraries of a script to that library. So if many scripts
include the same library, it can be quite wasteful.

At runtime in the script:

var platlib = GM_getImport("http://platypus.mozdev.org/platypus.js");
platlib.doStuff();

But thinking about this, there's definitely more to this than there
appears to be. I probably need to think about it more. I'm trying to
figure out if there's a security issue (beyond using GM_xmlhttpRequest
to access arbitrary domains) of librarifying arbitrary js files.

So now I'm less sure of an immediate solution. Not sure what to tell
you. I'm really not keen on the unsafeWindow thing. Perhaps a janky
lower-level hook for Greasemonkey-Platypus collaboration.

- a

More information about the Greasemonkey mailing list