|
Thanks for your neat script! Much appreciated.
How would you do this if Flashplayer was disabled?
window.location = unsafeWindow.so.getVariable("source");
works, but, as unambiguously noted on http://wiki.greasespot.net/UnsafeWindow, this might be unsafe.
What do you reckon could happen? Could some BOFH from webshots.com replace
so.addVariable('source', 'somepic.jpg');
with
so.addVariable('source', 'malicious code');
so that I'd end up with
window.location = 'malicious code';
in my user.js? Could that be bad? I mean: wouldn't all the regular security-mechanisms apply, like when browsing a malicious website by clicking on a link? I didn't dig through all this XPCNativeWrapper stuff, yet. Will do it asap :o)
AFAICS
so.write('fullSizeImageLoaderContainer');
doesn't alter the fullSizeImageLoaderContainer-div unless Flash is installed. So, a possible workaround could be to rewrite SWFObject locally. I don't know if it's worth the effort. Will look into it.
|
1 post,
1 voice
Joe Koenig
User
