[Greasemonkey] decision time: compatibility or anonymity?
Aaron Boodman
zboogs at gmail.com
Tue Jul 19 13:46:12 EDT 2005
Friends,
In implementing the new security, I have a chance to change the access
to the DOM so that - by default - you will be using deep implicit
XPCNativeWrappers for all objects
(http://developer-test.mozilla.org/en/docs/XPCNativeWrapper). This
will obviously only work for 1.1+, in earlier versions there will be
no wrappers.
The benefit is pretty huge: it will be difficult for content to spoof
methods to user scripts. This is how dean edward's anti-greasemonkey
script works today. All those sorts of greasemonkey defeats will be
eliminated. (note that spoofing methods isn't a security issue -- user
scripts run in low priv, even if content replaces a method so that it
calls something evil, user scripts won't be able to execute it -- it's
just annoying, and a good way to defeat gm).
The problem is that in order to do that I have to change things so
that window is no longer the global object. In fact, there will be no
global objects. So for instance where now, people do
document.getElementById( ), in this model, they'd have to do
window.document.getElementById.
This can be mitigated somewhat by adding the most common objects
(document, location, alert, prompt, etc) to the global scope. But it
won't be the same as what we have now, and it may be slightly
confusing -- why can you access document globally, but not other
arbitrary methods on window.
The alternative approach is to do what we do now. In this case I can
keep all access exactly how it is - there will be no change. You can
still use XPCNativeWrapper if you want, you just have to do it
explicitly.
Let me know what you think,
--
Aaron
More information about the Greasemonkey
mailing list