[Greasemonkey] Re: unsafeWindow.XmlHttpRequest in Greasemonkey
0.6.4
Julien Couvreur
julien.couvreur at gmail.com
Thu Jan 12 17:06:18 EST 2006
Aaron, I just tried the following on another machine (still FF1.5 and
GM0.6.4), in a user script:
alert(unsafeWindow.XMLHttpRequest);
unsafeWindow.GM_log = GM_log;
The first line succeeded, alerting with "[XMLHttpRequest]".
And the second also succeeded too, leaking GM_log into the page. Then
I used the shell to call window.GM_log and it wrote to the console.
Now I'm really confused :-(
Cheers,
Julien
On 1/12/06, Julien Couvreur <julien.couvreur at gmail.com> wrote:
> I wrote:
> >> But alert(unsafeWindow.XMLHttpRequest) is null. Is that expected? If so, why?
> Aaron replied:
> > I can't explain this, it should work.
>
> Aaron, I'll try this again on different machines.
>
> If that works, I'm still unclear why couldn't I do the following
> (leaking GM_log into code that gets run by the page):
>
> var xhr = unsafeWindow.XMLHttpRequest;
> xhr.prototype.oldSend = xhr.prototype.send;
> xhr.prototype.send = function() { GM_log("sending"); this.oldSend(); }
>
>
> Aaron wrote:
> > I have checked out the scripts. Have you considered writing to a popup
> > window or some such? If you didn't need GM_log, then you could add the
> > entire script to the page's context using something like:
> > window.location.href = "javascript:" + bigChunkOfJS;
>
> I actually found a way to get my XMLHttpRequest Debugging script
> working again (but without the help of the GM_getValue, GM_setValue or
> GM_registerMenuCommand functions), but eval'ing it in the page.
> More details at http://blog.monstuff.com/archives/000274.html
>
> My other two related scripts: "Tracing" and "Security Bypass" do need
> the ability to leak GM_ functions (GM_log for the first and
> GM_XMLHttpRequest for the second).
> But then again the "Debugging" script is kind of a replacement for
> "Tracing", which leaves "Security Bypass" the only remaining problem.
>
>
> Aaron wrote:
> > We do not want to give random webpages increased privs.
>
> Not random pages, only the pages that I configure my "leaking" script for ;-)
>
>
> Randy Ray wrote:
> > You could put the calls in closures, attached via addEventListener().
>
> Randy, in that case the following should work to leak GM_log into the
> page context (I'll try it at home tonight):
> unsafeWindow.addEventListener("onload", function() { window.GM_log = GM_log; });
>
>
> Thanks both for your help,
> Julien
>
More information about the Greasemonkey
mailing list