«ххххх» (xxxxx) wrote in lj_dev,

Security question: LJ + GreaseMonkey

Dear LJ developers, is it safe to include a Javascript line document.domain="livejournal.com" in a GreaseMonkey script running on all "http://*.livejournal.com/*" pages? And if not --- why exactly not?

I'm hacking on this GM-userscript. I think it would be a good idea to enable user to add a comment and see the posted comment without reloading the page. So I need to know the thread-id of the new comment. But how to find it out? The one possible way is to look at the URL talkpost_do.bml is redirecting to[*]. The only problem is: the redirect is happening transparently, so it is impossible to find out the source of the response data if I'm posting the new comment by GM_xmlhttpRequest :-(
So I've decided to post it as follows: 1) Download the posting form to an invisible iframe; 2) Post it by form.submit(); 3) Wait untill the response is loaded; 4) Look at the redirected URL in iframe.contentDocument.location... Unfortunately it works only with the document.domain="livejournal.com" assignment.

[*] Does somebody know an another way?

Tags: code: javascript

  • Post a new comment


    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded