unsafeWindow

[Alf Eaton]

If I use unsafeWindow in a Greasemonkey script, does the page get
access to
a) the function that calls unsafeWindow,
b) all the functions in the script that calls unsafeWindow,
or
c) all the functions in all the Greasemonkey scripts running on that
page?

alf.

[Neil Greenwood]

d) none of the above.

The security implications of unsafeWindow (as I understand them) is
that attributes/methods of unsafeWindow might have been redefined by
the page, so they may not do what you think they should.

HTH.

Hwyl,
Neil.

[esquifit]

As far as I know nobody has been able/took the trouble/is willing to
explain in a satisfactory way to what extent unsafeWindow puts a risk
on the user of the script.

I know at least of a specific case, namely that the whole content of
the script can be read by the page (and consequently sent to any sever
in the world without the user noticing it). If sensitive data like
passwords or credit cards numbers are hardcoded in the script (which
unfortunately is something that happens) instead of being stored via
GM_setValue, then this information can be leaked to a malicious site
for which the script is enabled.

See [1] for an specific example . Try adding more content to the
sample script; you will see that the whole script source is displayed
in the popup.

What this popups displays is the definition of Function object, or
something like this. I do not know whether it is possible to get
access to the variables/functions in the inner scope (but I suppose
this is not possible by design).

[1] http://arantius.info/files/gm-escalate-getter.html

2007/2/22, Neil Greenwood <neil.green...@gmail.com>:

[Aaron Boodman]

+greasemonkey-dev

FYI, I am tracking down the current nitty gritty details here. It has
been awhile since I have looked at it, and there are lots of
inter-related problems.

Just wanted you to know I am not ignoring the question. Hope to have a
detailed answer this week.

- a