Editing
Security
(section)
From Greasespot Wiki
Jump to navigation
Jump to search
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
== Overview == [[Version history|Historically]], [[Greasemonkey]] would inject a [[user script]] into a page by creating a <code><script></code> tag with the [[user script]] contents inline, and appending it to the content page's DOM. Mark Pilgrim originally [http://mozdev.org/pipermail/greasemonkey/2005-July/004022.html described a security flaw] with this design, on July 19th 2005, while [[Greasemonkey]] was at [[version]] 0.3.4. Essentially, the issue was that Greasemonkey scripts are given special permissions that the rest of the javascript running on the web page is not. For example, Greasemonkey scripts contained their own GM_xmlhttprequest object which, unlike a normal xmlttprequest object, could access any local files one one's computer or make arbitrary requests to arbitrary sites without regard for the same origin policy that typically applies to xmlhttprequest. Unfortunately, because Greasemonkey scripts were injected directly into the page using a script tag, these objects with special permissions could be called by a script sent by the website. In other words, if you ran a Greasemonkey script on a site, the site's own javascript could access all the files on your computer! [[Greasemonkey]] [[version]] 0.3.5 was immediately released, with all [[API reference|GM_* functions]] disabled, to plug the security hole. To fix the security flaw, [[XPCNativeWrapper]]s, a new feature of the then-in-development Firefox 1.5, were used to isolate privileged [[user script]] code from insecure content pages. Certain other changes were made, including restrictions on the [[GM_xmlhttpRequest]] method, to disallow access to local files.
Summary:
Please note that all contributions to Greasespot Wiki are considered to be released under the GNU Free Documentation License 1.3 or later (see
Greasespot Wiki:Copyrights
for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource.
Do not submit copyrighted work without permission!
Cancel
Editing help
(opens in new window)
Navigation menu
Page actions
Page
Discussion
Read
Edit
History
Page actions
Page
Discussion
More
Tools
Personal tools
Not logged in
Talk
Contributions
Create account
Log in
Navigation
Main Page
Recent changes
Random page
Search
Tools
What links here
Related changes
Special pages
Page information