Cross-domain XMLHttpRequest via Greasemonkey

Posted 2005-03-28 @ 15:03:13

Jeremy Dunck points out that Aaron Boodman has posted a patch to the Greasemonkey mailing list which allows the XMLHttpRequest object to reach across domains. The sample script simply displays information from Technorati about the current URL, which isn't necessarily useful or interesting, but works well as a proof of concept.

Obviously, this raises serious security concerns regarding cross-site scripting, and rightfully so. Regarding user scripts in general, Aaron says:

I think people should be careful which userscripts they install on their computer. If they aren't javascript-literate, maybe they should hold off until there is a community rating system in place.

That pretty much sums up my feelings, and applies to favelets as well – especially those that insert SCRIPT elements into the current document, which is, after all, XSS in action. Adding server-side scripts to the mix certainly complicates matters, but I'm too excited about the cool things that might be possible to worry about all that security nonsense right now.