[Greasemonkey] Alternative script injection technique proof of
concept
Aaron Boodman
zboogs at gmail.com
Mon Jul 18 17:26:33 EDT 2005
I talked to Brendan Eich about this approach and he recommended
against it since the code will still have chrome permissions if
executed this way. It could still do things that it should be able to
without the Components object.
Like,
for (var i = 0; i < window.frames.length; i++) {
alert(window.frames[i].document.body.innerHTML);
}
even if the frames are in different domains.
--
Aaron
On 7/18/05, Jacob Scherrer <scherrer at gmail.com> wrote:
> alert("hello!") is working for me with the first (new
> this.componentWindow.Object()) approach. Can you think of any other
> function calls that may not work? I'd like work on that problem. The
> second approach is not ideal since the list of this exclude could
> potentially get quite large, and, like you mentioned, there may be
> other ways to reach sensitive objects.
> _______________________________________________
> Greasemonkey mailing list
> Greasemonkey at mozdev.org
> http://mozdev.org/mailman/listinfo/greasemonkey
>
More information about the Greasemonkey
mailing list