[Greasemonkey] Greasemonkey 0.6.6
Gary Tyler
pile0nades at gmail.com
Sun Oct 8 17:57:48 PDT 2006
Yes, I like the new dialog! And that it only downloads the script once.
On 10/8/06, Aaron Boodman <zboogs at gmail.com> wrote:
>
> So here is a trial run of gm 0.6.6.
>
> The main change here (besides FF 2.0 compatibility) is that I updated
> the install script UI to be a little bit more friendly to novice users
> and also to fix a few security problems.
>
> When you click a link to a user script now (or otherwise load one), a
> dialog like the extension install dialog pops up. This dialog shows
> you the script title, the includes and excludes, and the description.
> You also get a button to show the source if you want.
>
> I think that this makes script installation a little bit more
> friendly. It also should address these two problems:
>
> 1. Timing attacks on the install button. Before, since a single click
> installs a script and the button is using area that is usually the
> content's, you could do something where you put a button like:
>
> [double click here for a neat surprise!]
>
> On the first click, you do location.href='evil.user.js' which causes
> the install banner to come up, and the user just installed a user
> script they didn't mean to.
>
>
> 2. Counting attack on the install button. Since GM downloaded the
> script twice during the install process -- once to display to the user
> and once to actually install, it was possible to show the user
> something different than what they actually ended up installing.
>
>
> Let me know what you think,
>
> - a
>
>
> _______________________________________________
> Greasemonkey mailing list
> Greasemonkey at mozdev.org
> http://mozdev.org/mailman/listinfo/greasemonkey
>
>
>
>
More information about the Greasemonkey
mailing list