The Lair

Well, it’s official now. Greasemonkey is stuck in a holding pattern for the moment while the developers figure out how to fix some potentially nasty security flaws.

The most recent release, 0.3.5, is a recommended upgrade for all users. It, however, contains no special GM_ functions. Essentially, Greasemonkey now functions as a custom user script injector. Without the special bits. Having said that, quite a few useful scripts still function properly. The question is, would you want to run them anyway ? Mark Pilgrim thinks otherwise, and says so, in fairly blunt language. I tend to agree with him, actually.

A while ago, I made a reference to Opera also being capable of user scripts. They have their own script repository and seem quite cool. A bit more powerful than Greasemonkey, even. An introduction is found here. One of the interesting things about this that Opera claim compatibility with Greasemonkey scripts. Well, in the spirit of adventure, I decided to give this compatibility a spin to see if the vulnerabilities existent in the Firefox Greasemonkey also exist in Opera’s version. I enabled a Greasemonkey script with the dreaded @include=* directive and went around visiting a site with vulnerability detection enabled. I did this for both Firefox and Opera (yes, I still keep around a vulnerable version of Greasemonkey on a testing Firefox instance. Sue me). Firefox displays the error message warning me that my version of Greasemonkey is at risk. Opera … does not. So, it seems that Opera’s compatibility does not extend to mirroring security flaws. Bad Opera! (Yes, that’s a joke. Stay off my back, Opera fanatics).

How this is done is simple. Opera appears to have no support for the special GM_ functions! So, in essence, Opera’s compatibility is almost exactly the same as Greasemonkey 0.3.5 on Firefox. Oh, and their support for XPath appears to be minimal/non existent; but let’s not get into that right now. Seeing that Opera is my viable replacement browser for Firefox; I care about such things as Greasemonkey support and how Opera actually renders layout now. And on the score of rendering, it seems that Opera is almost (but not quite) the same as Firefox. Pixel perfect cross browser rendering is a way off, I’d reckon.

And interesting in its’ own right and also as a sort of bandaid for Greasemonkey security, I’ve been told by several people about NoScript. Seems a good solution to many annoying Javascript problems, and most importantly, running this extension doesn’t slow the browser beyond all belief. It’s just a tad annoying at first to whitelist all the places where you’d not mind Javascript executing, after that, it’s a doddle. (Official mozilla.org installer is here). Of course, I should note that there is nothing to stop some evil person from hacking a trusted server, placing their own evil Javascript instead of the corny image rollover.js and exploiting your Greasemonkey. NoScript is a bandaid. An effective one, but it’s not quite the cure for Greasemonkey ailments. Be warned. Ok, so have we established that I worry way too much about security ? Good. Let’s move on.