On 2010-02-28 00:57, esquifit wrote:
On Sun, Feb 28, 2010 at 9:49 AM, cc<[email protected]> wrote:
[Arg, forgot to check the linked page before sending; turns out it doesn't
have enough examples. Added a note to the page.]
Actually, it's a lot worse than that, and it's trivial for someone to make a
"variable" that was quite malicious indeed: see
http://groups.google.com/group/greasemonkey-dev/tree/browse_frm/thread/933ecdb307c4386d/864b5121ad4698cb
for details.
The exploit shown in this thread has been fixed since then. This
means that the page doesn't have access to the privileged GM_* api
anymore, at least in this way. I still don't know whether this makes
unsafeWindow actually safe (up to our understanding of the risks), or
if there are further evil actions possible that the page could carry
out and that don't involve GM_*.
Ah, OK. Hadn't remembered that specifically. My bad.
--
cc | pseudonymous |<http://carlclark.mp/>
--
You received this message because you are subscribed to the Google Groups
"greasemonkey-users" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/greasemonkey-users?hl=en.
