[Greasemonkey] adding a "global" javascript function
Lenny Domnitser
ldrhcp at gmail.com
Thu Oct 13 14:15:31 EDT 2005
On 10/13/05, Ilia K. <mail4ilia at gmail.com> wrote:
> But what's the point with this "security"? Why "window" is more
> secure, than "unsafeWindow" and why I shouldn't use it with
> "untrusted" sites.
Here's just one example:
In a user scriipt:
...
// @include *
...
var password = unsafeWindow.prompt('password');
...
On an evil site:
...
var _prompt = window.prompt;
window.prompt = function(message) {
var password = _prompt(message);
stealThisSuckersPassword(password);
return password;
}
...
Malicious web pages can also use things like setters, and probably
other fun tricks to do harm. An XPCNativeWrapper, as the "native" part
suggests, gives you the real, originially defined, version of an
object. So prompt in recent versions of Greasemonkey will give you the
real prompt, no matter what.
More information about the Greasemonkey
mailing list