[Greasemonkey] Alternative script injection technique proof of
concept
John Plsek
gm at plsek.id.au
Wed Jul 20 01:09:40 EDT 2005
Aaron Boodman wrote:
>So our options are to implement it ourselves, only be compatible with
>1.1, or have a neutered mode for < 1.1.
>
>
>
You can have an optionally neutered mode - that allows end users to
decide if the scripts (on a per script basis) get run in neutered or
exposed mode ... I'm doing it now!! I've made a dochandler.js that has
the sandbox code for 1.1, neutered form of 0.4, standard form of 0.4,
and my eval method - the last just for kicks ;-)
Sorry, I know I seem to be pushing the options route, but I use cross
domain GM_xmlHttpRequest in most of my scripts, and GM_get/set in some
... in fact, only one out of my 6 scripts doesn't use any GM_* function.
It's a matter of trust, I guess. I trust, for instance,
search.ebay.com.au will never have any malicious code ... and since I
only include the script for http://search.ebay.com.au/* there's no way
that script can expose me to risk ... so I let my script run as it did
before,
John
More information about the Greasemonkey
mailing list