[Greasemonkey] global storage script and security inquiry

[Aaron Boodman]

A lot of people have asked me this question. At a high level, of
course Bill is right. GM_xmlhttpRequest is *way* more powerful than
the others, the one that caused specific problems, and the one most
likely to continue to get us into trouble.

So why not just fix it's file:// problem and move on?

* GM_getValue/GM_setValue
Since these functions access the preferences system, which is not
normally allowed by content script, they could -- if there were a bug
or hole in the implementation -- change some Firefox preferences. This
could even be used to maybe change security settings of other
components. Say Greasemonkey did store where you could
GM_xmlhttprequest to in a pref, then a hole here could allow content
to change that preference. I believe that some security settings for
Firefox itself are also stored as preferences. Obviously, untrusted
content should not be able to change these.

* GM_log
This thing really only accesses the console. So I can't think of much
it could do other than DOS. But there's an outside chance of something
in it's closure leaking to content which shouldn't be there. One could
imagine GM_getValue/GM_setValue being in GM_log's closure and us
leaking it that way.

* GM_registerMenuCommand
Since the functions which get registered are called from chrome, this
is an accident waiting to happen. If any DOM functions are replaced
which a menu item calls, then those functions can walk back up the
stack to get access to things inside chrome which they should not have
access to.


So yeah, as long as there are no *other* holes in GM besides leaking
these functions to content, it would seem that we are rather safe
leaving that as is. The thing is though, that it's hard to trust that
there will be no other holes. JavaScript is such a damned flexible
language.

When you go to an office building in NYC, you have to register with
security on the bottom floor, and then again with the security of the
office you're going to. You end up with two badges. Why bother? If you
can't get into the office on the floor you're going to, why not just
leave the bottom floor open?

I suppose this is what security in depth is about. It's hard to
guarantee that any one level is airtight, so you try and get as many
close-to-airtight levels lined up as possible. If there is a hole in
any one level you treat it as if it was critical because you never
know if there are other, unexposed holes in the other levels which
would allow the attacker to get increased priveledges.

Maybe I am being paranoid, but I hope this at least clears up my
actions over the past month somewhat...

-- 
Aaron