Article:		Avoid Common Pitfalls in Greasemonkey
Subject:		Security of wrappedJSObject
Date:		2008-01-02 16:23:49
From:		Lunatic_Lycanthrop
I don't fully understand why is wrappedJSObject insecure. For example, as a workaround to the "style" attribute problem, you could use the following code: document.wrappedJSObject.body.setAttribute("style","background-color:#f90; font-size: 14px;"); ... and so, yo could set a large amount of attributes in only one string. However, the page of XPCNative wrapper at mozilla.org advises: As the name of this section implies, doing so is unsafe. You shouldn't use wrappedJSObject to bypass XPCNativeWrapper in production code. (http://developer.mozilla.org/en/docs/XPCNativeWrapper) My question then would be ¿Why?

Showing messages 1 through 2 of 2.

• Security of wrappedJSObject
  2008-08-24 00:12:32  gaudio [View]
  
  
  The primary reason it's unsafe is because it's possible for the remote site to have redefined the 'setAttribute' method on the body. In that case, you are running remote code, which could be doing anything, in the privileged sandbox of Greasemonkey.
  
  If I'm not mistaken, this remote script could be written to grab a hold of some of the privileged objects, especially GM_xmlhttpRequest, and start going crazy with it.
  
  What's really needed is the ability to drop out of the sandbox when calling a method defined from the remote page, whether directly or via an object. Of course, this guide was written about 0.3 Greasemonkey versions ago, so perhaps it's become a bit more secure.

• Security of wrappedJSObject
  2008-02-26 14:42:33  DeBa [View]
  
  
  I ask myself the same question. The answer I found is in this article above on Page 1-2. It is unsave, because your Greasemonkey - script could be trapped and stopp running on the site.