Comment #47 on issue 18857 by medleymind: Support for GM Functions (Greasemonkey) in Chrome http://code.google.com/p/chromium/issues/detail?id=18857
aavindraa is right. I don't think there has ever been a reported case of a site specifically writing JavaScript in an attempt to hijack Greasemonkey API functions. It is just a hypothetical scenario that the devs of Greasemonkey have tried to prevent against. The only API that has any real danger to it being hijacked by a web site is cross- domain XHR via GM_xmlhttprequest. Because cookies are passed along in these requests just as if the user was making these requests themselves, a site that has gained access to GM_xmlhttprequest could take actions on a user's behalf (e.g., submitting false posts, getting access to pages with sensitive information). One way to prevent these nefarious actions would be to strip cookie data from cross-domain XHR. This would put some limitations on functionality, but maybe if some type of sandbox is used (similar to one in Greasemonkey), we could just strip cookies from cross-domain XHR that is initiated from outside the sandbox (i.e. unsafeWindow). -- You received this message because you are listed in the owner or CC fields of this issue, or because you starred this issue. You may adjust your issue notification preferences at: http://code.google.com/hosting/settings -- Automated mail from issue updates at http://crbug.com/ Subscription options: http://groups.google.com/group/chromium-bugs
