Here's a useful little GreaseMonkey user script, as a demonstration:
The question being whether you should trust a script like this one which pulls in Javascript from a further call to an external site.
I guess you generally have to trust applications and anything else that runs locally, but I'm worried about externally hosted scripts (and also Firefox extensions) that could easily become dangerous without any warning.
Comments
All fields are optional, email address will not be shown; no HTML, URLs are automatically hyperlinked.
Yep, there are definitely security concerns w/ Greasemonkey in general, and that script in specific.
There's a new implementation of the same feature which uses a JS implementation of textile here:
http://philwilson.org/blog/2005/03/textile-your-textareas-with.html
And there's a directory of scripts here:
http://dunck.us/collab/GreaseMonkeyUserScripts
Yes, although Phil's version still needs to have the code for the external script removed (that was the example I was going to use at first, until I realised that it didn't actually use the external call any more).
You can run the pyTextile gateway on your own server if you are concerned with security and/or privacy. The CGI script is available here:
http://dealmeida.net/code/textilable.py.txt
I should probably add a warning to the script explaining about the dangers of injecting arbitrary Javascript, and also that everything is logged (directly by the CGI and indirectly by Apache).
Thanks for the point-out guys, I only knocked it out in a hurry, and completely forgot to remove the reference to Roberto's script. Fixed now.
Is there a difference in security concerns between Greasemonkey and a bookmarklet? I may have missed something in the technicalities of Greasemonkey, but it looks like a bookmarklet that is applied automatically, or is it more powerful?
It is essentially the same kind of script. The difference is that a GreaseMonkey script can run automatically on every page you visit, whereas the bookmarklet only runs when you click it.