引用自:http://www.firefox.net.cn/forum/viewtopic.php?t=31181
最近的更新中,GreaseMonkey 脚本再也不能用在本地的文件上了,也就是说,什么文本链接化、自动高亮、划词翻译等等等等的 GM脚本,对另存到本地的网页、电子书的 HTML 页面、甚至 Scrapbook 保存下来的网摘等等等等都无效了。
经过一轮“翻山越岭做好汉”,我终于找到了讨论此问题的几乎唯一的帖子:
引用: |
On Wed, Dec 30, 2009 at 1:00 AM, Matt Sargent <matt.sarg...@earthlink.net wrote: Until a recent release, Greasemonkey could run on locally stored HTML pages. This was very handy, especially when combined with the Scrapbook add-on. Does anyone know of a way to restore this behavior to a script? >>> On 12/29/2009 7:06 PM, esquifit wrote: Since a couple of releases there are two new 'hidden' preferences: greasemonkey.aboutIsGreaseable greasemonkey.fileIsGreaseable The default value is "false". If you want Greasemonkey to run on file:/// urls, you have to set the second one to "true" (in about:config). >>> On Fri, Jan 1, 2010 at 7:49 AM, Matt Sargent <matt.sarg...@earthlink.net wrote: THANK YOU!! This was exactly what I was looking for. It works perfectly. |
也就是说,把 about:config 里面“greasemonkey.fileIsGreaseable”值改为“true”就可以让 GM脚本 对本地文件生效了。
但是:
引用: |
esquifit Fri, 01 Jan 2010 02:39:49 -0800 Glad to know. Keep in mind, however, that this implies a security risk. A malicious userscript could open a tab or a frame, load a "file:" url from your local drive into it, read the contents and send them to any server. Even binary files could be stolen in this way, including files stored in your Firefox profile containing sensitive information (passwords, cookies, history, etc). In order to know the exact location of the profile folder the attacker could either do a recursive scan of your hard disk (directory contents can also be listed via file: urls) until it reached the profile.ini file in which all profile directories are listed, or it could open the about:cache page and read the profile from there, provided access to about: urls is granted via the "greasemonkey.aboutIsGreaseable" preference. This security risk was in fact the motivation for the new preferences, as far as I can remember. This was handled in bug #1000: http://github.com/greasemonkey/greasemonkey/issues/closed#issue/1000 |
也就是说,这样做是有风险的,对于恶意的 GM脚本 来说就是开了一个盗取你的隐私的大门。
这个其实也不是解决不了的,方法就是打开上述键值之后,对于确认安全的而且需要对本地文件生效的 GM脚本,通过 GreaseMonkey 的脚本管理将“file:///*”加入到其允许规则中,对于信不过的脚本则把同样的规则加入到其除外规则中。在安装脚本的时候注意,要是有脚本的对所有 网页生效(允许规则为“*”),就要在安装后马上将其允许规则修改(例如改成“http://”)或者在除外规则中加入“file:///*”以作预防。
没有评论:
发表评论