Comment #60 on issue 18857 by [email protected]: Support for GM Functions (Greasemonkey) in Chrome http://code.google.com/p/chromium/issues/detail?id=18857
@ abarth > Providing access to unsafeWindow is something that can't be made safe, and > therefore we're not going to implement it. What you mean with "safe"? Even if a website can execute code in the script's sandbox, what's inherently unsafe about that? The ONLY privilege that the script has over the website's JavaScript would be cross-site XHR. If the script could somehow abstain from that privilege, then there would be nothing to be gained from breaking into the sandbox. Most users trust the script less than they trust the websites they are using it on. Giving every script the privilege to do cross-site XHRs is a security nightmare regardless of whether unsafeWindow is there or not. aavindraa's solution, where a script clearly declares the APIs it needs to use, solves all of this. -- You received this message because you are listed in the owner or CC fields of this issue, or because you starred this issue. You may adjust your issue notification preferences at: http://code.google.com/hosting/settings -- Automated mail from issue updates at http://crbug.com/ Subscription options: http://groups.google.com/group/chromium-bugs
