Firefox and Greasemonkey
I'm a big fan of the Greasemonkey plugin. It's definitely a power-user feature, and a walking security flaw. Greasemonkey, for those not familiar, allows you to run your own custom javascripts on the pages that you visit. This can be very powerful- I've written several that address certain annoyances I might other wise have to deal with- like the crappy color scheme on the new FARK. My own javascript runs and replaces it.
Here's the thing that I noticed though- I can use javascript to add references to other javascript files. For example, I can write a script that tells the page to append new tags. This loads, and executes, the script contained in those files.
I'm not sure what advantage this has. It could be used to make a self-updating Greasemonkey script- by simply changing the files on the server, every user that uses the script would now benefit from it. The obvious downside is that this newly loaded script could be changed on the fly- without the user's consent. It still runs in a sandbox, but I can easily use DOM objects like the IFrame to break out of it and do... well, nasty nasty things.
I think though, a sever-side GM script could be really useful for multi-user applications. Perhaps I'll write my client-side loader to do some basic validation and force the user to see the script, or verify a digital signature or something. I'll have to poke around on the GM and Firefox APIs to see if that's feasible.
One use that I'll have even before adding the security is for pushing scripts between home and work- only one script needs to be kept up to date, as opposed to a dozen.
Here's the thing that I noticed though- I can use javascript to add references to other javascript files. For example, I can write a script that tells the page to append new tags. This loads, and executes, the script contained in those files.
I'm not sure what advantage this has. It could be used to make a self-updating Greasemonkey script- by simply changing the files on the server, every user that uses the script would now benefit from it. The obvious downside is that this newly loaded script could be changed on the fly- without the user's consent. It still runs in a sandbox, but I can easily use DOM objects like the IFrame to break out of it and do... well, nasty nasty things.
I think though, a sever-side GM script could be really useful for multi-user applications. Perhaps I'll write my client-side loader to do some basic validation and force the user to see the script, or verify a digital signature or something. I'll have to poke around on the GM and Firefox APIs to see if that's feasible.
One use that I'll have even before adding the security is for pushing scripts between home and work- only one script needs to be kept up to date, as opposed to a dozen.