[Greasemonkey] Where to get the latest version of Greasemonkey
for Firefox 1.5?
Aaron Boodman
zboogs at gmail.com
Tue Nov 15 20:51:37 EST 2005
On 11/15/05, Jeremy Dunck <jdunck at gmail.com> wrote:
> On 11/15/05, Lenny Domnitser <ldrhcp at gmail.com> wrote:
> > On 11/15/05, Jesse Andrews <anotherjesse at gmail.com> wrote:
> > > Perhaps we should put a big link to that on userscripts.org ??
> >
> > I think the big link should go to GM 0.6.4. Jeremy's 0.6.3 release
> > notes included this security bug:
> >
> > On 10/16/05, Jeremy Dunck <jdunck at gmail.com> wrote:
> > > Aaron, you have a TODO to set sandbox.__proto__ = wrapper(unsafe)
> > > pending on moz bug 307005. It's fixed, but didn't make the change
> > > since I'm not totally confident what it's for, and I'd rather be safe
> > > than sorry.
> >
> > What is the status of this? If it is fixed in GM, the version number
> > should be bumped up, and if not then you can't advertise this version
> > to end users. Since the Mozilla bug is resolved, it should be a quick
> > fix, but I can't seem to find the right line in the GM source.
>
> Actually, leaving this undone doesn't have security implications.
>
> I didn't do it because making that change -does- have implications.
> What I mean is, right now, sandbox.__proto__ is null. Adding
> sandbox.__proto__ = something means more stuff in the lookip chain.
> Since I didn't know Aaron's line of thinking on adding the content
> window to the sandbox chain, I didn't want to add it.
>
> Clear as mud?
Um, no. sandbox.__proto__ is set to unsafeContentWin on line 187. As
far as I understand it, the effect of this should be:
* lookups for globals defined in the content document's global scope succeed
* foo = bar, where foo isn't defined anywhere go on the content
document's global scope
But that isn't how it works. Gmail preview script had to be modified
because lookups for global variables in the content document were not
defined. The solution was to add unsafeWin.
So it looks like it's time for some quality time with the js spec. I'm
going to put together a bunch of tests to try and determine how it is
working now, and why, and whether to add back that line.
- a
More information about the Greasemonkey
mailing list