Security

From GreaseSpot Wiki
Revision as of 04:18, 4 November 2006 by Arantius (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Historically, Greasemonkey would inject a user script into a page by creating a <script> tag with the user script contents inline, and appending it to the content page's DOM.

Mark Pilgrim originally described a security flaw with this design, on July 19th 2005, while Greasemonkey was at version 0.3.4. Greasemonkey version 0.3.5 was immediately released, with all GM_* functions disabled, to plug the security hole.

To fix the security flaw, XPCNativeWrappers, a new feature of the then-in-development Firefox 1.5, were used to isolate privileged user script code from insecure content pages. Certain other changes were made, including restrictions on the GM_xmlhttpRequest method, to disallow access to local files.

This article is a stub. You can help GreaseSpot by expanding it.
Retrieved from "https://wiki.greasespot.net/index.php?title=Security&oldid=1542"