Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Opens the script in the internal editor (Scratchpad) - the script starts when @include * #1767

Closed
janekptacijarabaci opened this issue Jul 15, 2013 · 3 comments
Closed

Opens the script in the internal editor (Scratchpad) - the script starts when @include * #1767

janekptacijarabaci opened this issue Jul 15, 2013 · 3 comments
Milestone
1.11

Comments

@janekptacijarabaci
Copy link
Contributor

Consider a simple script (@grant it does not affect):

// ==UserScript==
// @name          test1
// @include       *
// @grant         none
// ==/UserScript==

alert(document.documentURI);
  1. "Add-on Manager - User Scripts"
  2. Right click on the script - "Edit"
  3. Result:

test

Thank you.
@Ventero
Copy link
Contributor

Ventero commented Jul 15, 2013

Considering Scratchpad has chrome privileges, this should probably be fixed right about now.

Ventero added a commit to Ventero/greasemonkey that referenced this issue Jul 15, 2013
@Ventero
Don't run user scripts on data URIs.
82e6a87 
Firefox contains data URIs with chrome privileges (e.g. Scratchpad),
so for security reasons user scripts should never be allowed to run
on data URIs.

Fixes greasemonkey#1767.
@Ventero
Copy link
Contributor

Ventero commented Jul 15, 2013

Ventero@82e6a87 removes the ability for user scripts to run on data URIs. See #1302 for a similar issue with about: URIs. The fix first conditionally allowed about: URIs, however because of #1375 about: URIs were completely disallowed, so I guess the same should be done with data URIs, unless someone is able to come up with a better fix.

Actually, the ability for scripts to run on data URIs was only silently added in the fix for #1302 (61695fe).

@LouCypher
Copy link

Yeah I also found this a week ago.

The problem is not because of it on runs data URIs, but why does it run on non-browser window like Scratchpad (and Stylish editor) and other dev tools (style editor and debugger)?

@Ventero Ventero mentioned this issue May 13, 2014
Closed
@janekptacijarabaci janekptacijarabaci mentioned this issue Aug 23, 2014
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.11
Development

No branches or pull requests
3 participants
@LouCypher @Ventero @janekptacijarabaci