[Greasemonkey] GM 0.6.2 no workie

Aaron Boodman zboogs at gmail.com
Tue Nov 29 11:27:09 EST 2005 

Basically the story is this:

There's a bit in greasemonkey.js which sets the __proto__ of the
sandbox to an XPCNativeWrapper around window. What this does it make
it so that lookups for global js variables in the content window fail
and unqualified properties of window (such as "location" or
"navigator") go to the safe versions instead of the unsafe ones.

Unfortunately, it makes all the global names from the xml-extras
package, including XMLHttpRequest, XMLDocument, XPathResult, etc
inaccessible as well. Simple enums and constants, like XPathResult can
be copied from another window (for example the hidden window), or you
can just use the nsIXPathResults interface. But complex objects, like
XMLHttpRequest fail with permissions errors when you try to use
instances from some other context.

The most well-known scripts I have seen to fail here is gmail preview
pane, because it uses XMLHttpRequest.

So my options right now are:

* Find some way I didn't think of to make this work. I'm meeting with
the Mozilla people today to ask them about this.

* Emulate XMLHttpRequest with GM_xmlhttpRequest. This will fix scripts
who rely on basic XMLHttpRequest functionality, but will fail for
scripts which use anything advanced which cannot be emulated (like
getResponseHeader() or server push). It will also not fix any of the
other less-commonly used xmlextras objects, which people might
sometimes reach for and be surprised to not find.

* Ship without xml-extras support. Authors could still make requests
using GM_xmlhttpRequest and xpath searches using document.evaluate().
They wouldn't be able to construct new XMLDocuments or use lower-level
xpath interfaces, but I don't know of anyone doing that in
Greasemonkey right now.

* Ship without __proto__ = xpcnw(window). This would mean that
window.location, window.navigator, etc are all less secure.


Opinions welcome!

- a

On 11/29/05, Anthony Lieuallen <arantius at gmail.com> wrote:
> I've had multiple users contact me that in FF 1.5 RC3, scripts (that I
> wrote) did not work with GM 0.6.2.  I pointed them to the 0.6.3 in the
> list archives, and all have reported that things now worked.
> There's probably a more official release of GM planned now that FF 1.5
> is due so soon, but I'm wondering what and when?
> _______________________________________________
> Greasemonkey mailing list
> Greasemonkey at mozdev.org
> http://mozdev.org/mailman/listinfo/greasemonkey
>

More information about the Greasemonkey mailing list