The browser sets up a complex object hierarchy for scripts to manipulate the web page, and a complex event model to notify scripts when things happen.
JavaScript running in a browser is not simply a scripting language. The answer lies in the largely untapped power of the JavaScript language and the Document Object Model (DOM). Simple and elegant, to be sure so why was it wrong? Once all the user scripts finished, Greasemonkey cleaned up the page by removing the elements it had inserted and removing the global properties it had added. It loaded the source code of each user script, created a element, assigned the source code of the user script to the contents of the element, and inserted the element into the page. Then, it determined which user scripts ought to execute on the current page based on the and parameters. It initialized a set of API functions as properties of the global window object, so that user scripts could call them. Version 0.3, the first version to gain wide popularity, had a fundamental security flaw: it trusted the remote page too much when it injected and executed user scripts.īack in those days, Greasemonkey's injection mechanism was simple, elegant…and wrong.
Stay with me.) Greasemonkey's architecture has changed substantially since it was first written. Once upon a time, there was a security hole. Learn the history of Greasemonkey security and how it affects you now.
0 kommentar(er)
