Comment #44 on issue 18857 by [email protected]: Support for GM Functions (Greasemonkey) in Chrome http://code.google.com/p/chromium/issues/detail?id=18857
IMHO, where GreaseMonkey went wrong was exposing security-sensitive APIs like GM_xmlhttpRequest by default, with no way to abstain from it. *That's* why GreaseMonkey scripts have security issues, NOT because it allows the usage of unsafeWindow. So I believe user scripts should contain yet another attribute that specifies which APIs it actually wants access to (such as cross-site GM_xmlhttpRequest, unsafeWindow, window.chrome, script storage). A script is potentially insecure only if it requests both unsafeWindow *and* cross-site XHR. Another idea: I think script storage should be implemented through the HTML5 web storage interface and GM_getValue/GM_setValue can be thin wrappers around that. That way there's also a familiar and standardized interface. Are these ideas workable? Does this make sense to anyone else too? -- You received this message because you are listed in the owner or CC fields of this issue, or because you starred this issue. You may adjust your issue notification preferences at: http://code.google.com/hosting/settings -- Automated mail from issue updates at http://crbug.com/ Subscription options: http://groups.google.com/group/chromium-bugs
