New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

onApi* message handlers have no privilege checking #2777

Sxderp opened this Issue Dec 21, 2017 · 1 comment


None yet
2 participants

Sxderp commented Dec 21, 2017

If you just copy the code that is normally injected when asking for a @grant into the userscript, you can perform the action (send a message to the background) without a problem. Fixed by adding a permission check (against script uuid) for onApi* messages in on-message.js, or for the case of notification (which uses a port) in the port handler.


// ==UserScript==
// @name     Testing APIs
// @version  1
// ==/UserScript==

function GM_notification(text, title, image, onclick) {
  let opt;

  if (typeof text == 'object') {
    opt = text;
    if (typeof title == 'function') opt.ondone = title;
  } else {
    opt = { title, text, image, onclick };

  if (typeof opt.text != 'string') {
    throw new Error('GM.notification: "text" must be a string');

  if (typeof opt.title != 'string') opt.title = 'Greasemonkey';
  if (typeof opt.image != 'string') opt.image = 'skin/icon32.png';

  let port = chrome.runtime.connect({name: 'UserScriptNotification'});
  port.onMessage.addListener(msg => {
    const msgType = msg.type;
    if (typeof opt[msgType] == 'function') opt[msgType]();
    name: 'create',
    details: {
        title: opt.title,
        text: opt.text,
        image: opt.image

GM_notification('Hello', 'Popsicle', null, function() {

@Sxderp Sxderp changed the title from onApi* message handlers have no priviledge checking to onApi* message handlers have no privilege checking Dec 21, 2017

@arantius arantius added this to the 4.2 milestone Dec 22, 2017

@arantius arantius closed this in 8b5b650 Jan 9, 2018


This comment has been minimized.


arantius commented Jan 9, 2018

The above fix is packaged in version 4.2beta2:

Testing is always appreciated!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment