[Greasemonkey] Bait and switch script installation

[Alex Thomson]

Even if it's not possible to identify for sure whether someone is
viewing or installing, treating the second request from a given IP as
the installation would probably work in the majority of cases.

Also, while it's easy to send data to whatever site via GM, a mix of
caution and peer review should minimize the risk. My concern is that
even if somebody does read a lengthy script in its entirety, in this
case it doesn't mean much.  Also, this is a lot easier to fix.

-Alex

On 6/15/05, Chris Hayes <chayes at antenna.nl> wrote:
> Alex Thomson wrote:
> 
> >Like most people, when I look at a user script and then go
> >tools/Install user script, I expect the script that's installed to be
> >the one I just saw.  However, since GM re-downloads the script when
> >you click Install, this isn't necessarily the case.
> >
> >Via mod_rewrite, http://example.com/script.user.js can return anything
> >it wants, and not necessarily what it returned to you the last time
> >you viewed the page.  This is a security risk, no?
> >
> >
> Well yes and if I reorganise a server to treat a js file as a php file
> (or whatever other parser) I can also try to cheat (I think mod_rewrite
> is not the easiest way).
> 
> I'm not sure if it is possible to see serverside whether you are
> installing or peeking at a script. You might compare headers to check
> this. It would be bad if this would be easy to do!
> 
> The longer scripts get (I now have one of 600 lines -including many
> comments- ) the easier it is to smuggle in an extra, um, feature anyway.
> 
> My concern is that it is dead easy to forward any data to whatever site,
> in a URL.
> 
> Chris
> 
> _______________________________________________
> Greasemonkey mailing list
> Greasemonkey at mozdev.org
> http://mozdev.org/mailman/listinfo/greasemonkey
>