[Greasemonkey] global storage script and security inquiry
Bill Donnelly
donnelly at snowcrest.net
Mon Sep 5 18:32:49 EDT 2005
Thanks for the descriptions and comments. (both)
So, "assuming" GM_setPref() and GM_getPref() are basically "secure",
(and, as far as I can see in the code, they are) do you see any overt
and/or terrible thing with what I've done with allowing the ability
to set and get values for a specific script context via the published
interface? (i.e., is it more-likely-than-not *probably* 'safe'/okay?)
e.g., in about:config, it shows the pref I showed in the example Bm as
greasemonkey.scriptvals.http://www.snowcrest.net/donnelly/gmscripts//
Global Store - Global Values Get/Set.srUi_def
(which just brought up a thought -- is there any check for two scripts
with the same name and namespace not being duplicated, or is that
"automatic" based on the way it all works?)
People could also rename the meta data name and namespace values, altho
they are all prefixed by 'greasemonkey.scriptvals.', so...
(also, even though it's probably "safe", you probably should not store
'private' data in the prefs, like SSN, CC#, passwords, etc.)
btw -- The scenario you described walking back up the stack into chrome
sounds bad, but, I thought, even if they did that, they would still
be somewhat controlled with what they can do. That is, anything you
try to do in chrome seems to be verified before you can do it --
even if you know about something inside (internals), the browser will
stop you from accessing it if you aren't supposed to. afaik
tia
--
Some of us Drink Deeply from
the Fountain of Knowledge.
Most people sip; too many gargle.
---------------------------------
I just ate your Soul.
Forgive me. It was juicy.
And tart on my tongue.
More information about the Greasemonkey
mailing list