javascript - Are my Greasemonkey scripts visible outside my PC? -

javascript - Are my Greasemonkey scripts visible outside my PC? -

forgive me if dumb question. i'm not familiar how browser scripts handled.

i'm writing short greasemonkey script involves auto-logging me website, of course of study involves inserting password. planning include password in script itself, i'm concerned if it's possible else see script, see password.

so question is, possible script seen anyone/anything beyond browser , local pc? i'm not talking else using computer, "probing" or otherwise inspecting browser elsewhere on net.

if so, how can store password can auto-inserted without sacrificing security?

nominally, no. greasemonkey scripts not more visible outside pc other unencrypted file on hard drive.

that said, there several things maintain in mind:

use password utility instead. utilize trusted utilities designed work-with , secure passwords much possible. mentioned, lastpass pretty popular. have used secure login effect.

admittedly, these utilities not work every situation, since many sites insist on own variations of login page/system. so, utilize greasemonkey scripts log few low-risk websites.

never utilize auto-login sensitive sites. if utilize script bank, credit-card, of import work database, etc. will sitting @ computer day , will visit site (and automatically logged in), , bad things will happen. bank on it. now, know (foolishly) ignore this. but, if do, @ to the lowest degree have login triggered hotkey or hotkey sequence -- never automatic.

beware unsafewindow. greasemonkey scripts used vulnerable exploit against unsafewindow. while believe vulnerability closed firefox version 4 (the old exploit recipe not work modern gm+ff), unsafewindow exploit allow compromised web page see parts of script source , utilize gm_ functions.

so, login scripts especially, don't utilize unsafewindow.

never include real password in any source file. don't create easy prying eyes or malware password! has been easy route pwn-dom decades, , yet people still burned -- every day.

don't store passwords in clear text. , don't utilize "password" , "username", variable names. won't stop determined bad guy, slow downwards "honest" snoops , script-kiddies.

here greasemonkey script framework utilize on 2 pages automatically login (both forums, low-risk, low sensitivity).

the username , password stored in browser prefs database (visible via about:config), not script source. lightly encrypted slow downwards snoops.

the first time run script, prompt random key , username , password. after that, username , password can changed via greasemonkey context menu.

// ==userscript== // @name _autologin, sensitive info framework // @include http://your_server.com/your_path/* // @require http://crypto.stanford.edu/sjcl/sjcl.js // @grant gm_getvalue // @grant gm_setvalue // @grant gm_registermenucommand // ==/userscript== var enckey = gm_getvalue ("enckey", ""); var usr = gm_getvalue ("lognusr", ""); var pword = gm_getvalue ("lognpwd", ""); if ( ! enckey) { enckey = prompt ( 'script key not set ' + location.hostname + '. please come in random string:', '' ); gm_setvalue ("enckey", enckey); usr = pword = ""; // new key makes prev stored values (if any) unable decode. } usr = decodeorprompt (usr, "u-name", "lognusr"); pword = decodeorprompt (pword, "p-word", "lognpwd"); function decodeorprompt (targvar, userprompt, setvalvarname) { if (targvar) { targvar = unstoreanddecrypt (targvar); } else { targvar = prompt ( userprompt + ' not set ' + location.hostname + '. please come in now:', '' ); gm_setvalue (setvalvarname, encryptandstore (targvar) ); } homecoming targvar; } function encryptandstore (cleartext) { homecoming json.stringify (sjcl.encrypt (enckey, cleartext) ); } function unstoreanddecrypt (jsonobj) { homecoming sjcl.decrypt (enckey, json.parse (jsonobj) ); } //-- add together menu commands allow u , p changed. gm_registermenucommand ("change username", changeusername); gm_registermenucommand ("change password", changepassword); function changeusername () { promptandchangestoredvalue (usr, "u-name", "lognusr"); } function changepassword () { promptandchangestoredvalue (pword, "p-word", "lognpwd"); } function promptandchangestoredvalue (targvar, userprompt, setvalvarname) { targvar = prompt ( 'change ' + userprompt + ' ' + location.hostname + ':', targvar ); gm_setvalue (setvalvarname, encryptandstore (targvar) ); } /*-- these next 3 lines debug / edification. remove or comment out of final script. */ console.log ("script start."); console.log ("usr: ", usr); console.log ("pword: ", pword); // add together code set username , password on login page, here.

javascript security passwords greasemonkey