Hi, I don't know if this is a new security feature or a bug.
If I update to 0.9.14 I can't install scripts dragging them from my disk to the browser anymore. Downgrading to 0.9.13 fixes the problem.
Is this a bug, or a new feature?. If so, how can I enable the local installs again. Thanks.
This happens due to an early return in RemoteScript#_downloadFile introduced here.
If greasemonkey.fileIsGreasable is set to true, installation of local scripts works fine, so I guess the check should either be completely removed, or aURI.spec == file should always be allowed.
aURI.spec == file
Edit: Even though installation works fine, it still throws an error here, since the channel doesn't support nsIHttpChannel, only nsIFileChannel which I guess should be handled more gracefully.
Thanks. Great to know.
Now... Is this the intended behavior from now on?. I thought fileIsGreasable was there to prevent scripts from running on local pages but not to block local script installations as well.
I didn't write that code, and I can't speak for Arantius, but I'm pretty sure it's a bug.
Yes, that's a bug. The intent was to make sure that a malicious script could not // @resource file:///some/sensitive/stuff.txt and indirectly read your drive's contents. This check should not be made for the script itself, of course. And then probably for relative requires within such scripts. I've just tagged this issue for the next upcoming release.
// @resource file:///some/sensitive/stuff.txt
Allow installing local file user scripts.
Reporters: Please test and report whether this build fixes your issues:
yea, it's working now. thanks.