Domain: diveintogreasemonkey.org
Stories and comments across the archive that link to diveintogreasemonkey.org.
Comments · 9
-
ozgur uksal
That's a nice idea. I hope you go to get some goed work on it.
Ozgur Uksal
http://diveintogreasemonkey.org/patterns/match-att ribute.html/ -
Slashdot's CSS design
Slashdot's new frontend blinded my eyes before I could find a fix. Does this mean I can sue
/. now? -
Slashdot CSS solutionUntil they let us customize the look through our profiles we can fix it client side via Greasemonkey. So, after checking here I got this:
This significantly reduces the amount of death rays piercing my eyes in the current version. Obviously this is a very crude version with lots of room for improvement. Maybe you can post your own addGlobalStyle functions and we can have a nice Slashdot CSS-fix contest here // ==UserScript==
// @name SlashdotFix
// @namespace http://www.slashdot.org/
// @description Enhances Slashdot's viewing experience ;)
// @include http://slashdot.org/*
// ==/UserScript==
function addGlobalStyle(css) {
var head, style;
head = document.getElementsByTagName('head')[0];
if (!head) { return; }
style = document.createElement('style');
style.type = 'text/css';
style.innerHTML = css;
head.appendChild(style);
}
addGlobalStyle(" body #wrapper { background-color: #bbb; } div div.generalbody form { color: #011; background-color: #bbb; background: #bbb; } "); ;) -
Re:What did they expect?
Not so obvious to me. I though GM was a kind of filter for how the page was displayed. I don't see why it should alter anything outside the browser display or why it should respond to external scripts.
From Dive Into Greasemonkey:
Greasemonkey is a Firefox extension that allows you to write scripts that alter the web pages you visit. You can use it to make a web site more readable or more usable. You can fix rendering bugs that the site owner can't be bothered to fix themselves. You can alter pages so they work better with assistive technologies that speak a web page out loud or convert it to Braille. You can even automatically retrieve data from other sites to make two sites more interconnected.
Greasemonkey does this by injecting scripts that exist on the client machine into the page as it's loading (a bit more complicated than that, but that'll do). These scripts can't be automatically installed by a bad website, so you shouldn't be concerned that you'll suddenly have spyware user scripts installed without your knowledge. The problem here is that GM exposes a few functions for script authors (a simplified interface to XMLHttpRequest, a logging function, persistent data storage and retrieval per script, etc). Due to how the scripts are injected into the page, these functions need to be visible to all scripts on a page. That means that a malicious web author could add script code to his page to check if a GM_* function is defined, and then do nasty stuff with it (especially GM_xmlhttpRequest, because it allows cross-domain access). If you don't have GM installed, you'd never know the malicious page was trying to do something bad. If you do have GM installed, you probably still wouldn't know the page was being bad, but you'd be hurt by it anyway. Exposure of these scripts to all scripts on the page and not just the inserted GM scripts is the flaw. -
Why GreaseMonkey is more Secure then you think
First of all, the problem with GM is not with malicious user scripts, or at least that's only as much of a problem as malicious extensions, and user scripts may even be less so so they are easier to read.
The problem lies in the interaction between certain API's and the DOM. They aren't seperated, and a malicious page can use the API's to execute remove commands, including accessing local files.
That seems like a big problem, until you realize, as the people working on this do, that a malicious webpage must be in the included list to utilize this exploit.
In other words, site specific user scripts, what GM was designed to impliment, are only vulnerable if that site passes malicious javascript.
Non-site specific user scripts, like Linkify, are the issue. They can easily be disabled in Tools>Manage User Scripts. They can generally be identified because they have a "*" or other general includes instead of a specific site url.
Don't believe me? test it yourself, here, with the example exploit. If all you see is a blank page, then congratulations your GM is probably still secure. -
More details on the exploit...
Here are some more details from the posting thread, which explains why the exploit is so bad...
This particular exploit is much, much worse than I thought. GM_xmlhttpRequest can successfully "GET" any world-readable file on your local computer.
http://diveintogreasemonkey.org/experiments/localf ile-leak.html returns the contents of c:\boot.ini, which exists on most modern Windows systems.
But wait, it gets worse. An attacker doesn't even need to know the exact filename, since "GET"ting a URL like "file:///c:/" will return a parseable directory listing. (And Mac users don't get to gloat either; you're just as vulnerable, starting with a different root URL.)
In other words, running a Greasemonkey script on a site can expose the contents of every file on your local hard drive to that site. Running a Greasemonkey script with "@include *" (which, BTW, is the default if no parameter is specified) can expose the contents of every file on your local hard drive to every site you visit. And, because GM_xmlhttpRequest can use POST as well as GET, an attacker can quietly send this information anywhere in the world.The above information posted originally by Mark Pilgrim
-
Re:Uhh... what?
the user-customizable CSS and link style in Opera -- does Firefox have something comparable?
Yes. Firefox has something staggeringly, jaw-droppingly better: Greasemonkey , which lets you easily add bits of DHTML ("user scripts") to any web page to change its behavior.
Spend 30 minutes skimming Mark Pilgrim's online guide to Greasemonkey, and checking out his example scripts -- you will be blown away!
-
Re:Great
You can do that with javascript...
How about this pattern, which is included in the book linked from this article? -
Re:Does it something like Bookmarklet ?
Check out the API reference to see what GM gives that bookmarklets don't (aside from automated execution).