Permalink
Browse files

Alter GM_isGreasemonkeyable() for security and features.

Restrict greasing file: and about: URLs, to plug a potential security
hole.  (Add an about:config accessible preference to override this.)
Add greasing data: URLs, and always about:blank (regardless of above).

Signed-off-by: Johan Sundström <oyasumi+github@gmail.com>
  • Loading branch information...
arantius authored and johan committed Aug 11, 2009
1 parent 8cc502c commit 61695fe69493136dadd30b2206caf478d5096ecc
Showing with 20 additions and 3 deletions.
  1. +18 −3 content/utils.js
  2. +2 −0 defaults/preferences/greasemonkey.js
View
@@ -355,9 +355,24 @@ function GM_isGreasemonkeyable(url) {
.getService(Components.interfaces.nsIIOService)
.extractScheme(url);
- return (scheme == "http" || scheme == "https" || scheme == "file" ||
- scheme == "ftp" || url.match(/^about:cache/)) &&
- !/hiddenWindow\.html$/.test(url);
+ if ("http" == scheme) return true;
+ if ("https" == scheme) return true;
+ if ("ftp" == scheme) return true;
+ if ("data" == scheme) return true;
+
+ if ("file" == scheme) {
+ return GM_prefRoot.getValue('fileIsGreaseable');
+ }
+
+ if ("about" == scheme) {
+ // Always allow "about:blank".
+ if (/^about:blank/.test(url)) return true;
+
+ // Conditionally allow the rest of "about:".
+ return GM_prefRoot.getValue('aboutIsGreaseable');
+ }
+
+ return false;
}
function GM_isFileScheme(url) {
@@ -1 +1,3 @@
pref("extensions.{e4a8a97b-f2ed-450b-b12d-ee082ba24781}.description", "chrome://greasemonkey/locale/greasemonkey.properties");
+pref("greasemonkey.aboutIsGreaseable", false);
+pref("greasemonkey.fileIsGreaseable", false);

0 comments on commit 61695fe

Please sign in to comment.