New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
User scripts should not have chrome privilege in about: pages #1375
Comments
Historical issue reference: |
My initial guess is that it's just running with the principal of the page itself, which is chrome. I'd be inclined to say that injecting into about: (besides blank) should be completely removed, rather than pref'ed like it is now. It's unsafe even without this bug. |
I've spent over an hour on this, and been unable to come up with a fix (drop chrome privilege) that continues to allow the script to do anything (it just completely blocks access to the chrome-scope document). Still thinking we should just drop this feature (injecting into about:s besides blank) altogether. |
In regards to security I am +1 for this. Moz and other addons are starting to create about: entries of their own and I would really rather not see user.js become a security threat to other add-ons including the Moz core. We could never really handle all of them especially if GM isn't aware of them. |
I agree, it should be removed. |
It seems the fix need an update.... I see many Usesrcripts which work on addons-pages. I post a request on greasyfork arround this problem: Firefox 31.0 |
In How to exculde "about:addons" for a script?
"Get Add-ons" loads an iframe with a page from services.addons.mozilla.org and that is a permissible target for scripts. What is strange is that the monkey button continues to show scripts when you switch categories, but it could be that the iframe remains open in the page, just not displayed. If you are getting interference within the iframe then you know the domain to exclude. If you are getting interference outside the iframe, hmm, that's strange. " I wrote: I add: and the script don't work on the addons-page (it hang a moment the page). But the persistence of the iframe is strange: |
Dear @LouCypher and Everybody else; is it safe to allow "about:neterror" in Greasemonkey? you didnt mention about:neterror in your post. Best Regards, [1] http://en.wikipedia.org/wiki/About_URI_scheme#Mozilla-specific_about:_URIs |
It'd be very nice to customize it like this. |
I found that user script run on these about pages has chrome previleges
I tried the snippet on https://developer.mozilla.org/en/Using_nsILoginManager#Retrieving_a_password worked with user script run on the above pages.
Steps to reproduce:
Expected result:
User script should not have chrome privileges and should not have access to XPCOMs
Actual result:
Display usernames and passwords (could be worse)
The text was updated successfully, but these errors were encountered: