Greasemonkey and venkman

On Aug 11, 2006, at 3:30 AM, James Cowan wrote:

>
> Is it possible to use Venkman to debug a gm user.js
script?

Did you ever get an answer to this question?

Dave
_______________________________________________
Greasemonkey mailing list
Greasemonkeymozdev.org
http:
//mozdev.org/mailman/listinfo/greasemonkey

GM scripts are executed in greasemonkey.js, more exactly, in
the
evalInSandbox method, which in turns calls the native
function
Components.utils.evalInSandbox [1]:

(greasemonkey.js, 223) Components.utils.evalInSandbox(code,
sandbox);

Being written in C++, this cannot be debugged with Venkman.

Maybe there is way to slightly modify greasemonkey.js in
order to
substitute the native evalInSandbox with something else that
can be
debugged?

Incidentally, while searching for information regarding this
possibility, I came across Mozilla Security Advisory 2006-31
[2].  I'm
more than a bit surprised that this, being critical for GM,
hasn't
been mentioned in this list till now. This should be
discussed in
another thread, though.

[1] http://developer.mozilla.org/en/docs/Componen
ts.utils.evalInSandbox
[2] http://www.mozilla.org/security/announce/2006/mfsa
2006-31.html

2006/8/21, Dave Land < landaol.com>:
> On Aug 11, 2006, at 3:30 AM, James Cowan wrote:
>
> >
> > Is it possible to use Venkman to debug a gm 
user.js script?
>
> Did you ever get an answer to this question?
>
> Dave
> _______________________________________________
> Greasemonkey mailing list
> Greasemonkeymozdev.org
> http:
//mozdev.org/mailman/listinfo/greasemonkey
>
_______________________________________________
Greasemonkey mailing list
Greasemonkeymozdev.org
http:
//mozdev.org/mailman/listinfo/greasemonkey

On 8/21/2006 3:27 PM, esquifit wrote:
> Incidentally, while searching for information regarding
this
> possibility, I came across Mozilla Security Advisory
2006-31 [2].  I'm
> more than a bit surprised that this, being critical for
GM, hasn't
> been mentioned in this list till now. This should be
discussed in
> another thread, though.
> 
> [2] http://www.mozilla.org/security/announce/2006/mfsa
2006-31.html

Here's my take.

The linked page specifically mentions that "... a
malicious userscript 
could gain enough privilege to install malware, but even
when 
Greasemonkey is working as designed a malicious userscript
can make life 
miserable. Only install userscripts from sources you can
trust."

The purpose of evalInSandbox, for GreaseMonkey, is to
separate the user 
script from the content page.  If a mozilla bug makes *that*
not happen, 
then it is a big problem.  The threat of a user script
acting malicious 
is smaller, if only because the number of user scripts you
run is surely 
smaller than the number of web sites you visit.

It was also fixed 2 patch levels (minor revisions?) ago =)
_______________________________________________
Greasemonkey mailing list
Greasemonkeymozdev.org
http:
//mozdev.org/mailman/listinfo/greasemonkey

2006/8/21, esquifit <esquifitgooglemail.com>:
> Incidentally, while searching for information regarding
this
> possibility, I came across Mozilla Security Advisory
2006-31 [2].  I'm
> more than a bit surprised that this, being critical for
GM, hasn't
> been mentioned in this list till now.

Oh, I see: "Fixed in: Firefox 1.5.0.4".  Sorry.
Forget it.
_______________________________________________
Greasemonkey mailing list
Greasemonkeymozdev.org
http:
//mozdev.org/mailman/listinfo/greasemonkey

On 8/21/06, esquifit <esquifitgooglemail.com> wrote:
> 2006/8/21, esquifit <esquifitgooglemail.com>:
> > Incidentally, while searching for information
regarding this
> > possibility, I came across Mozilla Security
Advisory 2006-31 [2].  I'm
> > more than a bit surprised that this, being
critical for GM, hasn't
> > been mentioned in this list till now.
>
> Oh, I see: "Fixed in: Firefox 1.5.0.4". 
Sorry. Forget it.

Well, I noticed it, but only when looking at the release
notes for
1.5.0.4.  It's not a moot point-- you have to wonder if
there are
other ways of escaping the sandbox-- but it certainly isn't
easily
done.
_______________________________________________
Greasemonkey mailing list
Greasemonkeymozdev.org
http:
//mozdev.org/mailman/listinfo/greasemonkey