[Greasemonkey] Greasemonkey 0.6.6

[Joe la Poutre]

Ecellent work!

I think security is an important issue, on the fundamental level (the
blocked attack mettods)  but evenly important, on the percieved level
by the end user. This dialog will likely help to bring possible
security issues to the mind of the end user, which is a Good Thing in
my popinion.

(working fine in FF 1.5.0.7, Win XP).


On 10/9/06, Aaron Boodman <zboogs at gmail.com> wrote:
> So here is a trial run of gm 0.6.6.
>
> The main change here (besides FF 2.0 compatibility) is that I updated
> the install script UI to be a little bit more friendly to novice users
> and also to fix a few security problems.
>
> When you click a link to a user script now (or otherwise load one), a
> dialog like the extension install dialog pops up. This dialog shows
> you the script title, the includes and excludes, and the description.
> You also get a button to show the source if you want.
>
> I think that this makes script installation a little bit more
> friendly. It also should address these two problems:
>
> 1. Timing attacks on the install button. Before, since a single click
> installs a script and the button is using area that is usually the
> content's, you could do something where you put a button like:
>
> [double click here for a neat surprise!]
>
> On the first click, you do location.href='evil.user.js' which causes
> the install banner to come up, and the user just installed a user
> script they didn't mean to.
>
>
> 2. Counting attack on the install button. Since GM downloaded the
> script twice during the install process -- once to display to the user
> and once to actually install, it was possible to show the user
> something different than what they actually ended up installing.
>
>
> Let me know what you think,
>
> - a
>
>
> _______________________________________________
> Greasemonkey mailing list
> Greasemonkey at mozdev.org
> http://mozdev.org/mailman/listinfo/greasemonkey
>
>
>
>