Talk:Location hack: Difference between revisions

From GreaseSpot Wiki
Jump to navigationJump to search
m (→‎Location Hack Broken: Trying inline out of template GRRR)
m (→‎Location Hack Broken: HEY it's later... forgot to unmark these code blocks... unmarked.)
Line 44: Line 44:
The location hack seems to be broken on Firefox 3.0+. Use the following script as an example:
The location hack seems to be broken on Firefox 3.0+. Use the following script as an example:


<div style="border: 1px dashed #dddd55; border-left: 8px solid #dddd55; margin: 0;"><pre style="border: none; margin: inherit;">
<pre>
function test(j)
function test(j)
{
{
Line 55: Line 55:


document.getElementsByTagName('body')[0].insertBefore(j, document.getElementsByTagName('body')[0].firstChild);
document.getElementsByTagName('body')[0].insertBefore(j, document.getElementsByTagName('body')[0].firstChild);
</pre></div>
</pre>


You should get "test is not defined".
You should get "test is not defined".
Line 64: Line 64:
This code works:
This code works:


<div style="border: 1px dashed #55dd8b; border-left: 8px solid #55dd8b; margin: 0;"><pre style="border: none; margin: inherit;">
<pre>
function test(j)
function test(j)
{
{
Line 75: Line 75:


document.getElementsByTagName('body')[0].insertBefore(j, document.getElementsByTagName('body')[0].firstChild);
document.getElementsByTagName('body')[0].insertBefore(j, document.getElementsByTagName('body')[0].firstChild);
</pre></div>
</pre>


'''@Fromp''' Would you post your user agent for confirmation please? [[User:Marti|Marti]] 16:24, 3 May 2009 (EDT)
'''@Fromp''' Would you post your user agent for confirmation please? [[User:Marti|Marti]] 16:24, 3 May 2009 (EDT)

Revision as of 12:17, 6 May 2009

GM_eval vs. eval(s, unsafeWindow) vs. LocationHack

JavaScript in Mozilla/Gecko/Firefox is currently implemented by the SpiderMonkey engine written in C. It implements an eval function that takes an optional second argument to give the scope or context for the eval.

eval(string[, object])

It seems the two-argument eval can do all or more than the location-hack.

The main question is how secure it is in terms of giving a web page control over a browser. (Note that there are problems with this issue but particulars are purposefully rarely mentioned). I can't see how a JS statement like the following could leak any GM access to a web page.

eval(s, unsafeWindow);

But then, the following might be unsafe, particularly if r is later stored somewhere or more particularly if r gets some methods invoked off of it:

var r = eval(s, unsafeWindow);

The obvious solution to make r safe from potential terrors is to wrap it in a XPCNativeWrapper just like GreaseMonkey does.

r = new XPCNativeWrapper(eval(s, unsafeWindow));

Objections to: eval(s, unsafeWindow)

  • It is not as obfuscated as sending the string 'javascript:...' to location.href and is thus not as cool.
  • 2-argument eval is not standard JavaScript
    • While the true GreaseMonkey is based on Mozilla code, there are several other implementations for different browsers with different script engines, and those might not implement 2-argument eval.
    • Mozilla JavaScript is considering and may migrate to to standards such as ECMAScript for XML (E4X) and/or go to the open source Tamerin engine which Adobe wants. These new versions of JavaScript might not implement 2-argument eval (though I doubt it).
  • Script writers who directly use eval may break security unless they take the extra step to wrap the result.

Advantages of: eval(s, unsafeWindow)

  • It is less verbose than the location hack. You don't have to wrap strings in things like
javascript:void(...)
  • It permits returning a value in a way that the target page cannot detect.
  • You don't have to worry whether you need to encode special characters like with the location-hack.

GM_eval

To resolve this distinction I propose that the GM API include the function GM_eval. In Mozilla GreaseMonkey it is just defined as something like

function GM_eval (string) {return new XPCNativeWrapper(eval(string, unsafeWindow));

For other browsers/script-engines that don't have 2-argument eval one might want to make it a 2-argument function:

GM_eval(string, [boolean]);

that uses the location-hack and wraps and encodes the string appropriatly. If the second argument is true then that means the function should use some detectable means to record the result inside the target document and return it or just possibly complain with a security error.

Advantages:

  • Using GM_eval semantically indicates that you are safely evaluating something on the target page as opposed to going through some hack back door.
  • You don't need to extra wrap or encode things like for the location-hack.
  • GM_eval would really simplify the documentation of GreaseMonkey. For example this page would disappear. There would be one page on GM_eval that explains what it means and how it can be imlemented through eval or the location-hack, and most of the other stuff on this page could go into "code snippits". [Though I have noticed some other references to location-hack that should be cleaned up]

Disadvantages

None seen so far other than increasing the API count by one.

Location Hack Broken

The location hack seems to be broken on Firefox 3.0+. Use the following script as an example:

function test(j)
{
	alert(j);
}
var j = document.createElement('div');
j.innerHTML = "Click me!";
j.setAttribute('onclick', 'javascript:location.href=void( test("sdf") )');


document.getElementsByTagName('body')[0].insertBefore(j, document.getElementsByTagName('body')[0].firstChild);

You should get "test is not defined".


EDIT:

This code works:

function test(j)
{
	alert(j);
}
var j = document.createElement('div');
j.innerHTML = "Click me!";

j.addEventListener('click', function(e){ test('asdf'); }, false);

document.getElementsByTagName('body')[0].insertBefore(j, document.getElementsByTagName('body')[0].firstChild);

@Fromp Would you post your user agent for confirmation please? Marti 16:24, 3 May 2009 (EDT)

@Marti User agent: Firefox 3.0.9 Ubuntu Jaunty. Fromp 23:51, 5 May 2009 (EDT)

@Fromp Thanks... location hack has been sporatic to say the least... using a flavor of nix myself... btw 3.0.10 is out.