Wednesday, April 20, 2011

Breaking change: Inject into about:blank?

Back in version 0.8.2 we patched a security/privacy hole by preventing injection into file: and about: scheme URLs. This was August 2009, and at the time we specifically allowed about:blank (while blocking the rest of about:). A carefully crafted web search, [site:userscripts.org/scripts/review/ "about:blank" -"src about:blank"] reveals (among plenty false positives just making frames/windows that start blank) that real scripts are using this feature. Examples include:
Then there's scripts specifically avoiding about:blank:
Yes, I ended up finding only one real script using this feature. In much the way that I imagined it way back when. But I found four specifically trying to avoid it.

We now know of one real, serious bug with this approach. It happens to have an easy workaround, but really brings to light the issue: The about:blank page has a sort of special meaning. In this bug we know about, the browser is using a navigation to about:blank as a sort of clean-up, meaning "this content is gone", much like assigning null as a cleanup activity in some programming languages.

Therefore our current plan is to not inject scripts into about:blank unless the @include rule specifically mentions it. So if you say @include about:blank#mycustomvalue then everything will work as it does. But if you say @include * (or rely on that default) then you will not run on about:blank. Current plans would include this change in the upcoming version 0.9.3.

(As always, please find us on greasemonkey-dev to discuss the development of Greasemonkey itself.)