« Mozilla gets cursor:url() support
Super-viral Creative Commons licenses »

Greasemonkey and security

Paul Festa: substantial security risks. Greaseblog: exact same security context as bookmarklets. Me: easier to audit, with line breaks and multiple-character names, though.

This entry was posted on Wednesday, March 23rd, 2005 at 3:42 pm and is filed under shorts. You can follow any responses to this entry through the post feed. You can skip to the end and leave a response. Pinging is currently not allowed.

2 Comments

Comment by Will Hayworth #
2005-03-29 15:46:03

It’s really not that dangerous, IMHO, as long as users take the appropriate security precautions; akin to those of installing an extension.

[PGP signature]
Reply to this comment
Comment by Phil Ringnalda #
2005-03-29 19:55:05

Vastly less dangerous, I’d say; except for the new XMLHttpRequest function, Greasemonkey scripts are stuck within the sandbox of content, while an extension can do anything the browser can do, silently, including update itself into something completely different.

However, most people will never install an extension from anywhere other than UMO, where apparently when it comes back to life they will be at least reasonably audited, and no longer allowed to update from an external update.rdf, while Greasemonkey scripts will probably always be fairly casually hosted and casually audited.

[PGP signature]
Reply to this comment
 
 
Name (required)
E-mail (required - never shown publicly)
URI
Your Comment (smaller size | larger size)
You may use <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <del datetime="" cite=""> <dd> <dl> <dt> <em> <i> <ins datetime="" cite=""> <kbd> <li> <ol> <p> <pre> <q cite=""> <samp> <strong> <sub> <sup> <ul> in your comment.