[Greasemonkey] greasemonkey for secure data over insecure
networks / sites
Godmar Back
godmar at gmail.com
Tue Jul 19 02:24:16 EDT 2005
I see - so you're providing a new "global object" for user script code
that is different from the content's global object - this means you no
longer have to attach privileged objects to the content's global
object.
This gives you essentially namespace-based (or call it scope-based)
protection, leaving you with the issue of GM scripts that willfully
leak names - and as such privileges - to untrusted pages - but the
truely accidental exposure as of now is no longer possible.
- Godmar
On 7/19/05, Aaron Boodman <zboogs at gmail.com> wrote:
> No,
>
> User scripts always have access to GM_xmlhttpRequest - no matter when
> they execute - because they are in their global scope.
>
> Content does not have access to GM_xmlhttpRequest because
> GM_xmlhttpRequeset is not on content's global scope.
>
> Maybe you're confusing scope and security context. The global scope of
> content is the window object -- that's why content can call alert( )
> instead of window.alert( ) and it works.
>
> The global scope for our user scripts will be a new object who's
> prototype is the content window. But that object will also have some
> new properties, GM_xmlhttpRequest is one of them. But that new object
> is not in content's scope chain at all.
>
>
> --
> Aaron
> _______________________________________________
> Greasemonkey mailing list
> Greasemonkey at mozdev.org
> http://mozdev.org/mailman/listinfo/greasemonkey
>
More information about the Greasemonkey
mailing list