Greasemonkey and security

Paul Festa: substantial security risks. Greaseblog: exact same security context as bookmarklets. Me: easier to audit, with line breaks and multiple-character names, though.

2 Comments

Comment by Will Hayworth #
2005-03-29 15:46:03

It’s really not that dangerous, IMHO, as long as users take the appropriate security precautions; akin to those of installing an extension.

Comment by Phil Ringnalda #
2005-03-29 19:55:05

Vastly less dangerous, I’d say; except for the new XMLHttpRequest function, Greasemonkey scripts are stuck within the sandbox of content, while an extension can do anything the browser can do, silently, including update itself into something completely different.

However, most people will never install an extension from anywhere other than UMO, where apparently when it comes back to life they will be at least reasonably audited, and no longer allowed to update from an external update.rdf, while Greasemonkey scripts will probably always be fairly casually hosted and casually audited.

 
 
Name (required)
E-mail (required - never shown publicly)
URI
Your Comment (smaller size | larger size)
You may use <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <del datetime="" cite=""> <dd> <dl> <dt> <em> <i> <ins datetime="" cite=""> <kbd> <li> <ol> <p> <pre> <q cite=""> <samp> <strong> <sub> <sup> <ul> in your comment.