Security: Difference between revisions

From GreaseSpot Wiki
Jump to navigationJump to search
No edit summary
 
No edit summary
Line 1: Line 1:
= Overview =
Historically, [[Greasemonkey]] would inject a [[user script]] into a page by creating a <code><script></code> tag with the [[user script]] contents inline, and appending it to the content page's DOM.
Historically, [[Greasemonkey]] would inject a [[user script]] into a page by creating a <code><script></code> tag with the [[user script]] contents inline, and appending it to the content page's DOM.


Mark Pilgrim originally [http://mozdev.org/pipermail/greasemonkey/2005-July/004022.html described a security flaw] with this design, on July 19th 2005, while [[Greasemonkey]] was at [[version]] 0.3.4.
Mark Pilgrim originally [http://mozdev.org/pipermail/greasemonkey/2005-July/004022.html described a security flaw] with this design, on July 19th 2005, while [[Greasemonkey]] was at [[version]] 0.3.4.
[[Greasemonkey]] [[version]] 0.3.5 was immediately released, with all [[API Reference|GM_* functions]] disabled, to plug the security hole.
[[Greasemonkey]] [[version]] 0.3.5 was immediately released, with all [[API reference|GM_* functions]] disabled, to plug the security hole.
''(Needed: more description of what the holes/problems were.)''


To fix the security flaw, [[XPCNativeWrappers]], a new feature of the then-in-development Firefox 1.5, were used to isolate privileged [[user script]] code from insecure content pages.
To fix the security flaw, [[XPCNativeWrapper]]s, a new feature of the then-in-development Firefox 1.5, were used to isolate privileged [[user script]] code from insecure content pages.
Certain other changes were made, including restrictions on the [[GM_xmlhttpRequest]] method, to disallow access to local files.
Certain other changes were made, including restrictions on the [[GM_xmlhttpRequest]] method, to disallow access to local files.
= unsafeWindow =
Wrapping the [[user script]] environment this way creates a [[sandbox]].
This sandbox introduces many side effects and limitations.
To allow maximum flexibility for [[user script]] authors, the <code>unsafeWindow</code> property was added in to the sandbox.
The <code>window</code> object functions as the global scope in javascript.
For [[user script]]s, this global window option is in fact a "deep wrapper" of the content window.
The content window can be accessed by [[user script]]s, but only indirectly through the wrapper.
The <code>unsafeWindow</code> property is a direct line to the actual content window.
Use of the <code>unsafeWindow</code> property should be avoided whenever possible.
Its use has the potential to open up all the original security holes that introducing the [[XPCNativeWrapper]]s fixed.
When a [[user script]] relies on the <code>unsafeWindow</code> property, it should be included only on trusted pages, and even then is not guaranteed to be safe.


{{stub}}
{{stub}}

Revision as of 04:31, 4 November 2006

Overview

Historically, Greasemonkey would inject a user script into a page by creating a <script> tag with the user script contents inline, and appending it to the content page's DOM.

Mark Pilgrim originally described a security flaw with this design, on July 19th 2005, while Greasemonkey was at version 0.3.4. Greasemonkey version 0.3.5 was immediately released, with all GM_* functions disabled, to plug the security hole. (Needed: more description of what the holes/problems were.)

To fix the security flaw, XPCNativeWrappers, a new feature of the then-in-development Firefox 1.5, were used to isolate privileged user script code from insecure content pages. Certain other changes were made, including restrictions on the GM_xmlhttpRequest method, to disallow access to local files.

unsafeWindow

Wrapping the user script environment this way creates a sandbox. This sandbox introduces many side effects and limitations. To allow maximum flexibility for user script authors, the unsafeWindow property was added in to the sandbox.

The window object functions as the global scope in javascript. For user scripts, this global window option is in fact a "deep wrapper" of the content window. The content window can be accessed by user scripts, but only indirectly through the wrapper. The unsafeWindow property is a direct line to the actual content window.

Use of the unsafeWindow property should be avoided whenever possible. Its use has the potential to open up all the original security holes that introducing the XPCNativeWrappers fixed. When a user script relies on the unsafeWindow property, it should be included only on trusted pages, and even then is not guaranteed to be safe.