[Greasemonkey] greasemonkey for secure data over insecure
networks / sites
Godmar Back
godmar at gmail.com
Mon Jul 18 23:49:48 EDT 2005
On 7/18/05, Godmar Back <godmar at gmail.com> wrote:
> This approach would only work if it is possible to identify that the
> call chain does not include script code not inserted by GM. You
> could, for instance wrap the insert code like so:
> function f() {
> the user's script goes here
> }
> f();
> and then ensure that "f" is in the call path before granting GM_
> privileges. Make sure that you don't use 'f', but an impossible to
> guess dynamically created name.
>
One second thought, I don't think this is possible without using
complete stack inspection. For instance, a script might associate code
with event handlers. This code is then invoked later from a different
context; it could conceivably high-jacked as well.
I'm not sure how JavaScript implements closures, but if a closure
contains a reference to the enclosing funciton in which is was
created, you could check that closure for the magic function name
before allowing the call to the GM_ function.
- Godmar
More information about the Greasemonkey
mailing list