[Greasemonkey] Bait and switch script installation
Chris Hayes
chayes at antenna.nl
Thu Jun 16 01:07:31 EDT 2005
Alex Thomson wrote:
>Like most people, when I look at a user script and then go
>tools/Install user script, I expect the script that's installed to be
>the one I just saw. However, since GM re-downloads the script when
>you click Install, this isn't necessarily the case.
>
>Via mod_rewrite, http://example.com/script.user.js can return anything
>it wants, and not necessarily what it returned to you the last time
>you viewed the page. This is a security risk, no?
>
>
Well yes and if I reorganise a server to treat a js file as a php file
(or whatever other parser) I can also try to cheat (I think mod_rewrite
is not the easiest way).
I'm not sure if it is possible to see serverside whether you are
installing or peeking at a script. You might compare headers to check
this. It would be bad if this would be easy to do!
The longer scripts get (I now have one of 600 lines -including many
comments- ) the easier it is to smuggle in an extra, um, feature anyway.
My concern is that it is dead easy to forward any data to whatever site,
in a URL.
Chris
More information about the Greasemonkey
mailing list