Comment #51 on issue 18857 by medleymind: Support for GM Functions (Greasemonkey) in Chrome http://code.google.com/p/chromium/issues/detail?id=18857
Currently GM_xmlhttprequest attempts to prevent access of the GM api functions by the javascript of a page by checking the call stack. One way to subvert this measure is by calling the GM api functions through a setTimeout, so this method of validation is not bulletproof. @abarth "If you have a proposal for how we can implement unsafeWindow safely" How about my suggestion of stripping cookies from cross-site XHR or perhaps only allowing cookies to be set manually (meaning that browser cookies that are already set will not be passed automatically)? Wouldn't this ensure that a page could not act on behalf of a user by gaining access to cross-site XHR through unsafeWindow? -- You received this message because you are listed in the owner or CC fields of this issue, or because you starred this issue. You may adjust your issue notification preferences at: http://code.google.com/hosting/settings -- Automated mail from issue updates at http://crbug.com/ Subscription options: http://groups.google.com/group/chromium-bugs
