Alter GM_isGreasemonkeyable() for security and features.

Restrict greasing file: and about: URLs, to plug a potential security hole. (Add an about:config accessible preference to override this.) Add greasing data: URLs, and always about:blank (regardless of above). Signed-off-by: Johan Sundström <oyasumi+github@gmail.com>
greasemonkey · Aug 13, 2009 · 61695fe · 61695fe
1 parent 8cc502c
commit 61695fe
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 3 deletions.
diff --git a/content/utils.js b/content/utils.js
@@ -355,9 +355,24 @@ function GM_isGreasemonkeyable(url) {
                .getService(Components.interfaces.nsIIOService)
                .extractScheme(url);
 
-  return (scheme == "http" || scheme == "https" || scheme == "file" ||
-          scheme == "ftp" || url.match(/^about:cache/)) &&
-          !/hiddenWindow\.html$/.test(url);
+  if ("http" == scheme) return true;
+  if ("https" == scheme) return true;
+  if ("ftp" == scheme) return true;
+  if ("data" == scheme) return true;
+
+  if ("file" == scheme) {
+    return GM_prefRoot.getValue('fileIsGreaseable');
+  }
+
+  if ("about" == scheme) {
+    // Always allow "about:blank".
+    if (/^about:blank/.test(url)) return true;
+
+    // Conditionally allow the rest of "about:".
+    return GM_prefRoot.getValue('aboutIsGreaseable');
+  }
+
+  return false;
 }
 
 function GM_isFileScheme(url) {

diff --git a/defaults/preferences/greasemonkey.js b/defaults/preferences/greasemonkey.js
@@ -1 +1,3 @@
 pref("extensions.{e4a8a97b-f2ed-450b-b12d-ee082ba24781}.description", "chrome://greasemonkey/locale/greasemonkey.properties");
+pref("greasemonkey.aboutIsGreaseable", false);
+pref("greasemonkey.fileIsGreaseable", false);