我的Greasemonkey脚本在我的PC之外可见吗？

Question

Forgive me if this is a dumb question. I'm not familiar with how browser scripts are handled.

I'm writing a short Greasemonkey script that involves auto-logging me into a website, which of course involves inserting my password. I was planning to just include my password in the script itself, but I'm concerned that if it's possible for anyone else to see my script, they will also see my password.

So my question is, is it possible for my script to be seen by anyone/anything beyond my browser and local PC? I'm not talking about anyone else using my computer, but anyone "probing" or otherwise inspecting my browser from elsewhere on the net.

If so, how can I store my password so it can be auto-inserted without sacrificing my security?

Answer 1

Nominally, no. Greasemonkey scripts are not any more visible outside your PC than any other unencrypted file on your hard drive.

That said, there are several things to keep in mind:

1. Use a password utility instead.
   Use trusted utilities that are designed to work-with and secure passwords as much as possible. As mentioned, LastPass is pretty popular. I have also used Secure Login to good effect.

   Admittedly, these utilities do not work for every situation, since so many sites insist on their own variations of a login page/system. So, I personally do use Greasemonkey scripts to log into a few low-risk websites.

2. Never use an auto-login for sensitive sites. If you use a script for a bank, credit-card, important work database, etc. Somebody will be sitting at your computer some day and they will visit that site (and be automatically logged in), and bad things will happen. Bank on it.
   Now, I know that some will (foolishly) ignore this. But, if you do, at least have the login triggered by a hotkey or hotkey sequence -- never fully automatic.

3. Beware unsafeWindow .
   Greasemonkey scripts used to be vulnerable to an exploit against unsafeWindow . While I believe that this vulnerability was closed by Firefox version 4 (The old exploit recipe certainly does not work with modern GM+FF), an unsafeWindow exploit would allow a compromised web page to see parts of your script source and to use GM_ functions.

   So, for login scripts especially, don't use unsafeWindow .

4. Never include a real password in any source file.
   Don't make it so easy for prying eyes or malware to get your password! This has been an easy route to pwn-dom for decades, and yet people still get burned by this -- probably every day.

5. Don't store passwords in clear text. and don't use "password" and "username", for variable names. This won't stop a determined bad guy, but it will slow down "honest" snoops and script-kiddies.

Here is the Greasemonkey script framework I use on the two pages where I automatically login (both are forums, low-risk, low sensitivity).

The username and password are stored in the browser prefs database (visible via about:config ), not the script source. They are lightly encrypted to slow down snoops.

The first time you run the script, it will prompt for a random key and for the username and password. After that, the username and password can be changed via the Greasemonkey context menu.

// ==UserScript==
// @name     _Autologin, sensitive info framework
// @include  http://YOUR_SERVER.COM/YOUR_PATH/*
// @require  http://crypto.stanford.edu/sjcl/sjcl.js
// @grant    GM_getValue
// @grant    GM_setValue
// @grant    GM_registerMenuCommand
// ==/UserScript==

var encKey  = GM_getValue ("encKey",  "");
var usr     = GM_getValue ("lognUsr", "");
var pword   = GM_getValue ("lognPwd", "");

if ( ! encKey) {
    encKey  = prompt (
        'Script key not set for ' + location.hostname + '. Please enter a random string:',
        ''
    );
    GM_setValue ("encKey", encKey);

    usr     = pword = "";   // New key makes prev stored values (if any) unable to decode.
}
usr         = decodeOrPrompt (usr,   "U-name", "lognUsr");
pword       = decodeOrPrompt (pword, "P-word", "lognPwd");


function decodeOrPrompt (targVar, userPrompt, setValVarName) {
    if (targVar) {
        targVar     = unStoreAndDecrypt (targVar);
    }
    else {
        targVar     = prompt (
            userPrompt + ' not set for ' + location.hostname + '. Please enter it now:',
            ''
        );
        GM_setValue (setValVarName, encryptAndStore (targVar) );
    }
    return targVar;
}

function encryptAndStore (clearText) {
    return  JSON.stringify (sjcl.encrypt (encKey, clearText) );
}

function unStoreAndDecrypt (jsonObj) {
    return  sjcl.decrypt (encKey, JSON.parse (jsonObj) );
}

//-- Add menu commands that will allow U and P to be changed.
GM_registerMenuCommand ("Change Username", changeUsername);
GM_registerMenuCommand ("Change Password", changePassword);

function changeUsername () {
    promptAndChangeStoredValue (usr,   "U-name", "lognUsr");
}

function changePassword () {
    promptAndChangeStoredValue (pword, "P-word", "lognPwd");
}

function promptAndChangeStoredValue (targVar, userPrompt, setValVarName) {
    targVar     = prompt (
        'Change ' + userPrompt + ' for ' + location.hostname + ':',
        targVar
    );
    GM_setValue (setValVarName, encryptAndStore (targVar) );
}

/*-- These next 3 lines are for debug / edification.  
Remove or comment out of the final script.
*/
console.log ("Script start.");
console.log ("usr: ",   usr);
console.log ("pword: ", pword);

// ADD YOUR CODE TO SET THE USERNAME AND PASSWORD ON THE LOGIN PAGE, HERE.

Answer 2

yes they are!! With an event listener on the event DOMNodeInserted of a script by the requested site your source code (and by that your password) is visible by ALL the scripts on the requested site.

Have a look here for further information.