[Greasemonkey] Greasemonkey and venkman
Anthony Lieuallen
arantius at gmail.com
Mon Aug 21 16:32:42 EDT 2006
On 8/21/2006 3:27 PM, esquifit wrote:
> Incidentally, while searching for information regarding this
> possibility, I came across Mozilla Security Advisory 2006-31 [2]. I'm
> more than a bit surprised that this, being critical for GM, hasn't
> been mentioned in this list till now. This should be discussed in
> another thread, though.
>
> [2] http://www.mozilla.org/security/announce/2006/mfsa2006-31.html
Here's my take.
The linked page specifically mentions that "... a malicious userscript
could gain enough privilege to install malware, but even when
Greasemonkey is working as designed a malicious userscript can make life
miserable. Only install userscripts from sources you can trust."
The purpose of evalInSandbox, for GreaseMonkey, is to separate the user
script from the content page. If a mozilla bug makes *that* not happen,
then it is a big problem. The threat of a user script acting malicious
is smaller, if only because the number of user scripts you run is surely
smaller than the number of web sites you visit.
It was also fixed 2 patch levels (minor revisions?) ago =)
More information about the Greasemonkey
mailing list