Security: Difference between revisions

From GreaseSpot Wiki
Jump to navigationJump to search
No edit summary
No edit summary
 
(7 intermediate revisions by 5 users not shown)
Line 1: Line 1:
[http://library.cshl.edu/wp/vb/member.php?u=1360 lorazepam online] [http://itcweb.ecsu.edu/portal/forums.asp?ForumId=13&TopicId=162 alltel ringtones] [http://itcweb.ecsu.edu/portal/forums.asp?ForumId=13&TopicId=176 cheap didrex] [http://news.engin.brown.edu/forums/thread-view.asp?tid=204 mp3 ringtones] [http://students.hsc.unt.edu/housing/item.cfm?type=2911 free cingular ringtones] [http://wc1.worldcrossing.com/WebX/.1de60a07 tracfone ringtones] [http://www.e.kth.se/cgi-bin/esekt/discussion?command=read&discussionid=4&id=30241 xanax online] [http://www.psfc.mit.edu/~jinseok/bbse/view.php?id=presentations&no=356 tracfone ringtones] [http://www.ees.ufl.edu/alumni/forums.asp?ForumId=5&TopicId=111 cheap norco] [http://wc1.worldcrossing.com/WebX/.1de60a13 fioricet online] [http://itcweb.ecsu.edu/portal/forums.asp?ForumId=13&TopicId=191 cheap lorazepam] [http://library.cshl.edu/wp/vb/member.php?u=1369 free ringtones] [http://students.hsc.unt.edu/housing/item.cfm?type=2858 viagra online] [http://news.engin.brown.edu/forums/thread-view.asp?tid=224 free wwe ringtones] [http://students.hsc.unt.edu/housing/item.cfm?type=2852 buy xanax] [http://www.e.kth.se/cgi-bin/esekt/discussion?command=read&discussionid=4&id=30307 cheap zoloft] [http://www.e.kth.se/cgi-bin/esekt/discussion?command=read&discussionid=4&id=30331 free free ringtones] [http://wc1.worldcrossing.com/WebX/.1de60a27 but sildenafil] [http://www.ees.ufl.edu/alumni/forums.asp?ForumId=5&TopicId=145 xenical online] [http://www.e.kth.se/cgi-bin/esekt/discussion?command=read&discussionid=4&id=30339 free samsung ringtones] [http://www.e.kth.se/cgi-bin/esekt/discussion?command=read&discussionid=4&id=30294 cheap prozac] [http://news.engin.brown.edu/forums/thread-view.asp?tid=176 buy ultracet] [http://library.cshl.edu/wp/vb/member.php?u=1352 buy norco] [http://itcweb.ecsu.edu/portal/forums.asp?ForumId=13&TopicId=189 but lipitor] [http://www.psfc.mit.edu/~jinseok/bbse/view.php?id=presentations&no=362 motorola ringtones] [http://itcweb.ecsu.edu/portal/forums.asp?ForumId=13&TopicId=224 sagem ringtones] [http://www.ees.ufl.edu/alumni/forums.asp?ForumId=5&TopicId=101 meridia online] [http://wc1.worldcrossing.com/WebX/.1de609ee but hydrocodone] [http://www.e.kth.se/cgi-bin/esekt/discussion?command=read&discussionid=4&id=30244 cheap diazepam] [http://wc1.worldcrossing.com/WebX/.1de609e0 cheap ativan] [http://students.hsc.unt.edu/housing/item.cfm?type=2861 cheap norco] [http://students.hsc.unt.edu/housing/item.cfm?type=2877 prozac online] [http://news.engin.brown.edu/forums/thread-view.asp?tid=216 sonyericsson ringtones] [http://www.psfc.mit.edu/~jinseok/bbse/view.php?id=presentations&no=360 qwest ringtones] [http://itcweb.ecsu.edu/portal/forums.asp?ForumId=13&TopicId=190 lisinopril online] [http://wc1.worldcrossing.com/WebX/.1de60a10 cheap didrex] [http://itcweb.ecsu.edu/portal/forums.asp?ForumId=13&TopicId=228 ultram online] [http://www.ees.ufl.edu/alumni/forums.asp?ForumId=5&TopicId=76 cialis] [http://www.e.kth.se/cgi-bin/esekt/discussion?command=read&discussionid=4&id=30259 alprazolam online] [http://www.psfc.mit.edu/~jinseok/bbse/view.php?id=presentations&no=359 nextel ringtones] [http://wc1.worldcrossing.com/WebX/.1de609e5 cool ringtones] [http://students.hsc.unt.edu/housing/item.cfm?type=2888 cheap lortab] [http://library.cshl.edu/wp/vb/member.php?u=1373 nextel ringtones] [http://itcweb.ecsu.edu/portal/forums.asp?ForumId=13&TopicId=216 zyban online] [http://itcweb.ecsu.edu/portal/forums.asp?ForumId=13&TopicId=206 cheap pharmacy online] [http://library.cshl.edu/wp/vb/member.php?u=1344 xanax online] [http://www.psfc.mit.edu/~jinseok/bbse/view.php?id=presentations&no=344 ativan] [http://www.e.kth.se/cgi-bin/esekt/discussion?command=read&discussionid=4&id=30345 free sprint ringtones] [http://www.e.kth.se/cgi-bin/esekt/discussion?command=read&discussionid=4&id=30248 ativan online] [http://www.ees.ufl.edu/alumni/forums.asp?ForumId=5&TopicId=131 free sprint ringtones] [http://students.hsc.unt.edu/housing/item.cfm?type=2871 wellbutrin online] [http://www.ees.ufl.edu/alumni/forums.asp?ForumId=5&TopicId=146 zanaflex online] [http://news.engin.brown.edu/forums/thread-view.asp?tid=154 carisoprodol online] [http://www.e.kth.se/cgi-bin/esekt/discussion?command=read&discussionid=4&id=30280 propecia online] [http://www.ees.ufl.edu/alumni/forums.asp?ForumId=5&TopicId=118 prozac online] [http://library.cshl.edu/wp/vb/member.php?u=1341 valium online] [http://www.ees.ufl.edu/alumni/forums.asp?ForumId=5&TopicId=144 xanax online] [http://students.hsc.unt.edu/housing/item.cfm?type=2905 motorola ringtones] [http://www.ees.ufl.edu/alumni/forums.asp?ForumId=5&TopicId=112 but ortho] [http://itcweb.ecsu.edu/portal/forums.asp?ForumId=13&TopicId=223 wellbutrin online] [http://news.engin.brown.edu/forums/thread-view.asp?tid=169 levitra online] [http://news.engin.brown.edu/forums/thread-view.asp?tid=156 online fioricet] [http://library.cshl.edu/wp/vb/member.php?u=1377 samsung ringtones] [http://www.e.kth.se/cgi-bin/esekt/discussion?command=read&discussionid=4&id=30312 cheap ortho] [http://www.e.kth.se/cgi-bin/esekt/discussion?command=read&discussionid=4&id=30356 free cool ringtones] [http://wc1.worldcrossing.com/WebX/.1de609f0 lorazepam online] [http://news.engin.brown.edu/forums/thread-view.asp?tid=187 celexa online] [http://www.e.kth.se/cgi-bin/esekt/discussion?command=read&discussionid=4&id=30230 cheap tramadol] [http://itcweb.ecsu.edu/portal/forums.asp?ForumId=13&TopicId=211 free polyphonic ringtones] [http://itcweb.ecsu.edu/portal/forums.asp?ForumId=13&TopicId=214 cheap zanaflex] [http://www.ees.ufl.edu/alumni/forums.asp?ForumId=5&TopicId=110 nokia ringtones] [http://news.engin.brown.edu/forums/thread-view.asp?tid=189 cheap ortho] [http://itcweb.ecsu.edu/portal/forums.asp?ForumId=13&TopicId=237 free samsung ringtones] [http://news.engin.brown.edu/forums/thread-view.asp?tid=151 order soma] [http://www.ees.ufl.edu/alumni/forums.asp?ForumId=5&TopicId=99 lorazepam online] [http://students.hsc.unt.edu/housing/item.cfm?type=2912 sagem ringtones] [http://students.hsc.unt.edu/housing/item.cfm?type=2907 free sprint ringtones] [http://wc1.worldcrossing.com/WebX/.1de60a17 buy lipitor] [http://www.e.kth.se/cgi-bin/esekt/discussion?command=read&discussionid=4&id=30334 mp3 ringtones] [http://itcweb.ecsu.edu/portal/forums.asp?ForumId=13&TopicId=234 free sprint ringtones] [http://www.ees.ufl.edu/alumni/forums.asp?ForumId=5&TopicId=141 vigrx online] [http://wc1.worldcrossing.com/WebX/.1de60a23 free polyphonic ringtones] [http://wc1.worldcrossing.com/WebX/.1de60a1f cheap lisinopril] [http://itcweb.ecsu.edu/portal/forums.asp?ForumId=13&TopicId=197 mp3 ringtones] [http://library.cshl.edu/wp/vb/member.php?u=1349 order viagra] [http://library.cshl.edu/wp/vb/member.php?u=1382 free cingular ringtones] [http://www.e.kth.se/cgi-bin/esekt/discussion?command=read&discussionid=4&id=30310 cheap tenuate] [http://students.hsc.unt.edu/housing/item.cfm?type=2922 free kyocera ringtones] [http://news.engin.brown.edu/forums/thread-view.asp?tid=206 qwest ringtones] [http://wc1.worldcrossing.com/WebX/.1de609f9 norco online] [http://www.psfc.mit.edu/~jinseok/bbse/view.php?id=presentations&no=351 clonazepam online] [http://students.hsc.unt.edu/housing/item.cfm?type=2878 sildenafil online] [http://students.hsc.unt.edu/housing/item.cfm?type=2902 nextel ringtones] [http://www.psfc.mit.edu/~jinseok/bbse/view.php?id=presentations&no=357 free funny ringtones] [http://library.cshl.edu/wp/vb/member.php?u=1347 cheap cialis] [http://library.cshl.edu/wp/vb/member.php?u=1365 ultracet online] [http://news.engin.brown.edu/forums/thread-view.asp?tid=210 sprint ringtones] [http://news.engin.brown.edu/forums/thread-view.asp?tid=158 cheap diazepam] [http://wc1.worldcrossing.com/WebX/.1de609ea free ringtones] [http://wc1.worldcrossing.com/WebX/.1de60a25 samsung ringtones] [http://www.ees.ufl.edu/alumni/forums.asp?ForumId=5&TopicId=88 free ringtones] [http://library.cshl.edu/wp/vb/member.php?u=1358 hydrocodone online] [http://library.cshl.edu/wp/vb/member.php?u=1339 tramadol online] [http://students.hsc.unt.edu/housing/item.cfm?type=2868 cheap ambien] [http://news.engin.brown.edu/forums/thread-view.asp?tid=228 free mtv ringtones] [http://www.ees.ufl.edu/alumni/forums.asp?ForumId=5&TopicId=104 motorola ringtones] [http://www.ees.ufl.edu/alumni/forums.asp?ForumId=5&TopicId=89 free funny ringtones] [http://news.engin.brown.edu/forums/thread-view.asp?tid=211 free music ringtones] [http://www.ees.ufl.edu/alumni/forums.asp?ForumId=5&TopicId=80 free cool ringtones] [http://library.cshl.edu/wp/vb/member.php?u=1388 cheap fioricet] [http://www.psfc.mit.edu/~jinseok/bbse/view.php?id=presentations&no=361 real ringtones] [http://news.engin.brown.edu/forums/thread-view.asp?tid=172 lorazepam online] [http://www.psfc.mit.edu/~jinseok/bbse/view.php?id=presentations&no=333 cheap soma] [http://news.engin.brown.edu/forums/thread-view.asp?tid=182 clomid online] [http://library.cshl.edu/wp/vb/member.php?u=1355 clonazepam] [http://itcweb.ecsu.edu/portal/forums.asp?ForumId=13&TopicId=205 paxil online] [http://news.engin.brown.edu/forums/thread-view.asp?tid=184 lisinopril online] [http://www.ees.ufl.edu/alumni/forums.asp?ForumId=5&TopicId=124 samsung ringtones] [http://wc1.worldcrossing.com/WebX/.1de60a04 free sonyericsson ringtones] [http://www.ees.ufl.edu/alumni/forums.asp?ForumId=5&TopicId=115 cheap phentermine] [http://library.cshl.edu/wp/vb/member.php?u=1387 alltel ringtones] [http://wc1.worldcrossing.com/WebX/.1de60a05 sprint ringtones] [http://news.engin.brown.edu/forums/thread-view.asp?tid=167 cheap clonazepam] [http://www.e.kth.se/cgi-bin/esekt/discussion?command=read&discussionid=4&id=30283 didrex online] [http://news.engin.brown.edu/forums/thread-view.asp?tid=157 cheap ultram] [http://itcweb.ecsu.edu/portal/forums.asp?ForumId=13&TopicId=230 free verizon ringtones] [http://www.e.kth.se/cgi-bin/esekt/discussion?command=read&discussionid=4&id=30309 celexa online] [http://www.psfc.mit.edu/~jinseok/bbse/view.php?id=presentations&no=348 cheap norco] [http://wc1.worldcrossing.com/WebX/.1de60a11 diethylpropion online] [http://news.engin.brown.edu/forums/thread-view.asp?tid=188 cheap tenuate] [http://news.engin.brown.edu/forums/thread-view.asp?tid=212 verizon ringtones] [http://www.e.kth.se/cgi-bin/esekt/discussion?command=read&discussionid=4&id=30308 cheap lipitor] [http://www.ees.ufl.edu/alumni/forums.asp?ForumId=5&TopicId=82 diazepam online] [http://library.cshl.edu/wp/vb/member.php?u=1380 verizon ringtones] [http://news.engin.brown.edu/forums/thread-view.asp?tid=163 adipex online] [http://students.hsc.unt.edu/housing/item.cfm?type=2859 cheap meridia] [http://news.engin.brown.edu/forums/thread-view.asp?tid=209 free samsung ringtones] [http://itcweb.ecsu.edu/portal/forums.asp?ForumId=13&TopicId=170 cingular ringtones] [http://www.ees.ufl.edu/alumni/forums.asp?ForumId=5&TopicId=78 clomid] [http://www.e.kth.se/cgi-bin/esekt/discussion?command=read&discussionid=4&id=30298 cheap lisinopril] [http://www.ees.ufl.edu/alumni/forums.asp?ForumId=5&TopicId=74 carisoprodol online] [http://www.psfc.mit.edu/~jinseok/bbse/view.php?id=presentations&no=352 paxil online] [http://news.engin.brown.edu/forums/thread-view.asp?tid=227 free ericsson ringtones] [http://library.cshl.edu/wp/vb/member.php?u=1386 mono ringtones] [http://www.ees.ufl.edu/alumni/forums.asp?ForumId=5&TopicId=69 cheap albuterol] [http://wc1.worldcrossing.com/WebX/.1de60a12 free ericsson ringtones] [http://news.engin.brown.edu/forums/thread-view.asp?tid=171 order ambien] [http://itcweb.ecsu.edu/portal/forums.asp?ForumId=13&TopicId=188 levitra online] [http://www.ees.ufl.edu/alumni/forums.asp?ForumId=5&TopicId=83 didrex online] [http://www.e.kth.se/cgi-bin/esekt/discussion?command=read&discussionid=4&id=30358 midi ringtones] [http://students.hsc.unt.edu/housing/item.cfm?type=2879 cheap clomid] [http://news.engin.brown.edu/forums/thread-view.asp?tid=186 cheap lipitor] [http://news.engin.brown.edu/forums/thread-view.asp?tid=215 sagem ringtones] [http://www.psfc.mit.edu/~jinseok/bbse/view.php?id=presentations&no=346 meridia online] [http://students.hsc.unt.edu/housing/item.cfm?type=2923 sony ringtones] [http://www.e.kth.se/cgi-bin/esekt/discussion?command=read&discussionid=4&id=30237 cheap valium] [http://itcweb.ecsu.edu/portal/forums.asp?ForumId=13&TopicId=171 clomid online] [http://itcweb.ecsu.edu/portal/forums.asp?ForumId=13&TopicId=184 hoodia] [http://wc1.worldcrossing.com/WebX/.1de60a1b music ringtones] [http://www.e.kth.se/cgi-bin/esekt/discussion?command=read&discussionid=4&id=30264 hydrocodone] [http://wc1.worldcrossing.com/WebX/.1de609db cheap adipex] [http://www.e.kth.se/cgi-bin/esekt/discussion?command=read&discussionid=4&id=30321 cheap hgh] [http://www.ees.ufl.edu/alumni/forums.asp?ForumId=5&TopicId=90 cheap hgh] [http://www.e.kth.se/cgi-bin/esekt/discussion?command=read&discussionid=4&id=30263 order levitra] [http://www.ees.ufl.edu/alumni/forums.asp?ForumId=5&TopicId=133 free tracfone ringtones] [http://news.engin.brown.edu/forums/thread-view.asp?tid=226 free sony ringtones] [http://www.ees.ufl.edu/alumni/forums.asp?ForumId=5&TopicId=117 order propecia] [http://news.engin.brown.edu/forums/thread-view.asp?tid=165 vicodin online] [http://library.cshl.edu/wp/vb/member.php?u=1340 soma online] [http://students.hsc.unt.edu/housing/item.cfm?type=2909 free verizon ringtones] [http://www.e.kth.se/cgi-bin/esekt/discussion?command=read&discussionid=4&id=30252 meridia online] [http://itcweb.ecsu.edu/portal/forums.asp?ForumId=13&TopicId=221 vicodin online] [http://www.e.kth.se/cgi-bin/esekt/discussion?command=read&discussionid=4&id=30347 verizon ringtones] [http://library.cshl.edu/wp/vb/member.php?u=1354 cheap alprazolam] [http://www.e.kth.se/cgi-bin/esekt/discussion?command=read&discussionid=4&id=30330 nokia ringtones] [http://students.hsc.unt.edu/housing/item.cfm?type=2903 qwest ringtones] [http://wc1.worldcrossing.com/WebX/.1de60a26 free sharp ringtones] [http://www.e.kth.se/cgi-bin/esekt/discussion?command=read&discussionid=4&id=30348 free polyphonic ringtones] [http://www.psfc.mit.edu/~jinseok/bbse/view.php?id=presentations&no=345 viagra online] [http://itcweb.ecsu.edu/portal/forums.asp?ForumId=13&TopicId=239 sildenafil online] [http://students.hsc.unt.edu/housing/item.cfm?type=2876 buy didrex] [http://www.ees.ufl.edu/alumni/forums.asp?ForumId=5&TopicId=142 wellbutrin online] [http://students.hsc.unt.edu/housing/item.cfm?type=2872 online cyclobenzaprine] [http://www.e.kth.se/cgi-bin/esekt/discussion?command=read&discussionid=4&id=30333 funny ringtones] [http://wc1.worldcrossing.com/WebX/.1de60a00 rivotril online] [http://library.cshl.edu/wp/vb/member.php?u=1356 paxil online] [http://www.e.kth.se/cgi-bin/esekt/discussion?command=read&discussionid=4&id=30357 sharp ringtones] [http://www.ees.ufl.edu/alumni/forums.asp?ForumId=5&TopicId=123 free sagem ringtones] [http://www.e.kth.se/cgi-bin/esekt/discussion?command=read&discussionid=4&id=30268 cheap xenical] [http://www.ees.ufl.edu/alumni/forums.asp?ForumId=5&TopicId=92 cheap hydrocodone] [http://www.ees.ufl.edu/alumni/forums.asp?ForumId=5&TopicId=100 lortab online] [http://students.hsc.unt.edu/housing/item.cfm?type=2850 cheap phentermine] [http://students.hsc.unt.edu/housing/item.cfm?type=2869 lorazepam online] [http://www.ees.ufl.edu/alumni/forums.asp?ForumId=5&TopicId=116 free polyphonic ringtones] [http://library.cshl.edu/wp/vb/member.php?u=1361 xenical online] [http://library.cshl.edu/wp/vb/member.php?u=1362 wellbutrin online] [http://wc1.worldcrossing.com/WebX/.1de60a2b ultracet] [http://www.ees.ufl.edu/alumni/forums.asp?ForumId=5&TopicId=113 paxil online] [http://www.e.kth.se/cgi-bin/esekt/discussion?command=read&discussionid=4&id=30279 ultracet online] [http://news.engin.brown.edu/forums/thread-view.asp?tid=229 jazz ringtones] This page is a description of [[Greasemonkey]]'s security model. For tips you can apply directly to your scripts, see '''[[Security tips]]'''.
<div style="border: 3px dotted; color: red; font-size: 1.2em; padding: 0.5em; margin: 1em; text-align: center">
Warning: The contents of this page are not accurate in reference to Greasemonkey 4.0.
</div>


= Overview =
This page is a description of [[Greasemonkey]]'s security model. For tips you can apply directly to your scripts, see '''[[Security tips]]'''.
 
== Overview ==


[[Version history|Historically]], [[Greasemonkey]] would inject a [[user script]] into a page by creating a <code><script></code> tag with the [[user script]] contents inline, and appending it to the content page's DOM.
[[Version history|Historically]], [[Greasemonkey]] would inject a [[user script]] into a page by creating a <code><script></code> tag with the [[user script]] contents inline, and appending it to the content page's DOM.


Mark Pilgrim originally [http://mozdev.org/pipermail/greasemonkey/2005-July/004022.html described a security flaw] with this design, on July 19th 2005, while [[Greasemonkey]] was at [[version]] 0.3.4.
Mark Pilgrim originally [http://mozdev.org/pipermail/greasemonkey/2005-July/004022.html described a security flaw] with this design, on July 19th 2005, while [[Greasemonkey]] was at [[version]] 0.3.4.
Essentially, the issue was that Greasemonkey scripts are given special permissions that the rest of the javascript running on the web page is not. For example, Greasemonkey scripts contained their own GM_xmlhttprequest object which, unlike a normal xmlttprequest object, could access any local files one one's computer or make arbitrary requests to arbitrary sites without regard for the same origin policy that typically applies to xmlhttprequest.
Unfortunately, because Greasemonkey scripts were injected directly into the page using a script tag, these objects with special permissions could be called by a script sent by the website.
In other words, if you ran a Greasemonkey script on a site, the site's own javascript could access all the files on your computer!
[[Greasemonkey]] [[version]] 0.3.5 was immediately released, with all [[API reference|GM_* functions]] disabled, to plug the security hole.
[[Greasemonkey]] [[version]] 0.3.5 was immediately released, with all [[API reference|GM_* functions]] disabled, to plug the security hole.
''(Needed: more description of what the holes/problems were.)''


To fix the security flaw, [[XPCNativeWrapper]]s, a new feature of the then-in-development Firefox 1.5, were used to isolate privileged [[user script]] code from insecure content pages.
To fix the security flaw, [[XPCNativeWrapper]]s, a new feature of the then-in-development Firefox 1.5, were used to isolate privileged [[user script]] code from insecure content pages.
Certain other changes were made, including restrictions on the [[GM_xmlhttpRequest]] method, to disallow access to local files.
Certain other changes were made, including restrictions on the [[GM_xmlhttpRequest]] method, to disallow access to local files.


= unsafeWindow =
== unsafeWindow ==


Wrapping the [[user script]] environment this way creates a [[sandbox]].
Wrapping the [[user script]] environment this way creates a [[sandbox]].
Line 18: Line 26:
To allow maximum flexibility for [[user script]] authors, the <code>[[unsafeWindow]]</code> property was added in to the sandbox.
To allow maximum flexibility for [[user script]] authors, the <code>[[unsafeWindow]]</code> property was added in to the sandbox.


The <code>window</code> object functions as the global scope in javascript.
The <code>window</code> object functions as the global scope in JavaScript.
For [[user script]]s, this global window option is in fact a "deep wrapper" of the content window.
For [[user script]]s, this global window option is in fact a "deep wrapper" of the content window.
The content window can be accessed by [[user script]]s, but only indirectly through the wrapper.
The content window can be accessed by [[user script]]s, but only indirectly through the wrapper.
Line 27: Line 35:
When a [[user script]] relies on the <code>unsafeWindow</code> property, it should be included only on trusted pages, and even then is not guaranteed to be safe.
When a [[user script]] relies on the <code>unsafeWindow</code> property, it should be included only on trusted pages, and even then is not guaranteed to be safe.


= See Also =
== See Also ==


* [[Greasemonkey access violation]]
* [[Greasemonkey Manual:Environment]]
* [http://it.slashdot.org/article.pl?sid=05/07/19/143241 Slashdot: Firefox Greasemonkey Extension Security Problem]
* [http://it.slashdot.org/article.pl?sid=05/07/19/143241 Slashdot: Firefox Greasemonkey Extension Security Problem]


Latest revision as of 20:02, 3 November 2017

Warning: The contents of this page are not accurate in reference to Greasemonkey 4.0.

This page is a description of Greasemonkey's security model. For tips you can apply directly to your scripts, see Security tips.

Overview

Historically, Greasemonkey would inject a user script into a page by creating a <script> tag with the user script contents inline, and appending it to the content page's DOM.

Mark Pilgrim originally described a security flaw with this design, on July 19th 2005, while Greasemonkey was at version 0.3.4. Essentially, the issue was that Greasemonkey scripts are given special permissions that the rest of the javascript running on the web page is not. For example, Greasemonkey scripts contained their own GM_xmlhttprequest object which, unlike a normal xmlttprequest object, could access any local files one one's computer or make arbitrary requests to arbitrary sites without regard for the same origin policy that typically applies to xmlhttprequest.

Unfortunately, because Greasemonkey scripts were injected directly into the page using a script tag, these objects with special permissions could be called by a script sent by the website. In other words, if you ran a Greasemonkey script on a site, the site's own javascript could access all the files on your computer!

Greasemonkey version 0.3.5 was immediately released, with all GM_* functions disabled, to plug the security hole.

To fix the security flaw, XPCNativeWrappers, a new feature of the then-in-development Firefox 1.5, were used to isolate privileged user script code from insecure content pages. Certain other changes were made, including restrictions on the GM_xmlhttpRequest method, to disallow access to local files.

unsafeWindow

Wrapping the user script environment this way creates a sandbox. This sandbox introduces many side effects and limitations. To allow maximum flexibility for user script authors, the unsafeWindow property was added in to the sandbox.

The window object functions as the global scope in JavaScript. For user scripts, this global window option is in fact a "deep wrapper" of the content window. The content window can be accessed by user scripts, but only indirectly through the wrapper. The unsafeWindow property is a direct line to the actual content window.

Use of the unsafeWindow property should be avoided whenever possible. Its use has the potential to open up all the original security holes that introducing the XPCNativeWrappers fixed. When a user script relies on the unsafeWindow property, it should be included only on trusted pages, and even then is not guaranteed to be safe.

See Also

This article is a stub. You can help GreaseSpot by expanding it.
Retrieved from "https://wiki.greasespot.net/index.php?title=Security&oldid=7577"