Security
lorazepam online alltel ringtones cheap didrex mp3 ringtones free cingular ringtones tracfone ringtones xanax online tracfone ringtones cheap norco fioricet online cheap lorazepam free ringtones viagra online free wwe ringtones buy xanax cheap zoloft free free ringtones but sildenafil xenical online free samsung ringtones cheap prozac buy ultracet buy norco but lipitor motorola ringtones sagem ringtones meridia online but hydrocodone cheap diazepam cheap ativan cheap norco prozac online sonyericsson ringtones qwest ringtones lisinopril online cheap didrex ultram online cialis alprazolam online nextel ringtones cool ringtones cheap lortab nextel ringtones zyban online cheap pharmacy online xanax online ativan free sprint ringtones ativan online free sprint ringtones wellbutrin online zanaflex online carisoprodol online propecia online prozac online valium online xanax online motorola ringtones but ortho wellbutrin online levitra online online fioricet samsung ringtones cheap ortho free cool ringtones lorazepam online celexa online cheap tramadol free polyphonic ringtones cheap zanaflex nokia ringtones cheap ortho free samsung ringtones order soma lorazepam online sagem ringtones free sprint ringtones buy lipitor mp3 ringtones free sprint ringtones vigrx online free polyphonic ringtones cheap lisinopril mp3 ringtones order viagra free cingular ringtones cheap tenuate free kyocera ringtones qwest ringtones norco online clonazepam online sildenafil online nextel ringtones free funny ringtones cheap cialis ultracet online sprint ringtones cheap diazepam free ringtones samsung ringtones free ringtones hydrocodone online tramadol online cheap ambien free mtv ringtones motorola ringtones free funny ringtones free music ringtones free cool ringtones cheap fioricet real ringtones lorazepam online cheap soma clomid online clonazepam paxil online lisinopril online samsung ringtones free sonyericsson ringtones cheap phentermine alltel ringtones sprint ringtones cheap clonazepam didrex online cheap ultram free verizon ringtones celexa online cheap norco diethylpropion online cheap tenuate verizon ringtones cheap lipitor diazepam online verizon ringtones adipex online cheap meridia free samsung ringtones cingular ringtones clomid cheap lisinopril carisoprodol online paxil online free ericsson ringtones mono ringtones cheap albuterol free ericsson ringtones order ambien levitra online didrex online midi ringtones cheap clomid cheap lipitor sagem ringtones meridia online sony ringtones cheap valium clomid online hoodia music ringtones hydrocodone cheap adipex cheap hgh cheap hgh order levitra free tracfone ringtones free sony ringtones order propecia vicodin online soma online free verizon ringtones meridia online vicodin online verizon ringtones cheap alprazolam nokia ringtones qwest ringtones free sharp ringtones free polyphonic ringtones viagra online sildenafil online buy didrex wellbutrin online online cyclobenzaprine funny ringtones rivotril online paxil online sharp ringtones free sagem ringtones cheap xenical cheap hydrocodone lortab online cheap phentermine lorazepam online free polyphonic ringtones xenical online wellbutrin online ultracet paxil online ultracet online jazz ringtones This page is a description of Greasemonkey's security model. For tips you can apply directly to your scripts, see Security tips.
Overview
Historically, Greasemonkey would inject a user script into a page by creating a <script> tag with the user script contents inline, and appending it to the content page's DOM.
Mark Pilgrim originally described a security flaw with this design, on July 19th 2005, while Greasemonkey was at version 0.3.4. Greasemonkey version 0.3.5 was immediately released, with all GM_* functions disabled, to plug the security hole. (Needed: more description of what the holes/problems were.)
To fix the security flaw, XPCNativeWrappers, a new feature of the then-in-development Firefox 1.5, were used to isolate privileged user script code from insecure content pages. Certain other changes were made, including restrictions on the GM_xmlhttpRequest method, to disallow access to local files.
unsafeWindow
Wrapping the user script environment this way creates a sandbox.
This sandbox introduces many side effects and limitations.
To allow maximum flexibility for user script authors, the unsafeWindow property was added in to the sandbox.
The window object functions as the global scope in javascript.
For user scripts, this global window option is in fact a "deep wrapper" of the content window.
The content window can be accessed by user scripts, but only indirectly through the wrapper.
The unsafeWindow property is a direct line to the actual content window.
Use of the unsafeWindow property should be avoided whenever possible.
Its use has the potential to open up all the original security holes that introducing the XPCNativeWrappers fixed.
When a user script relies on the unsafeWindow property, it should be included only on trusted pages, and even then is not guaranteed to be safe.
