tunisiano187 / WME-send-to-slack

Script to send (Un)lock/Closures/Open/Validations requests to slack, Discord, Telegram, GForm
https://wmests.bowlman.org
GNU General Public License v3.0
4 stars 7 forks source link

When using window.SDK_INITIALIZE may be undefined #144

Closed ordonezgs closed 3 hours ago

ordonezgs commented 3 hours ago

SDK_INITIALIZE should be an event to retrieve rather than a promise object type.

SDK_INITIALIZE may be undefined so you'll not be able to use the .then() method when undefined as stated in the WMESDK Docs (check WME API DOCS also).

When trying to use window.SDK_INITIALIZE. Window it's Tampermonkey userscript window not WME Window.

To solve this with unsafeWindow brings Sec. concerns.

https://www.tampermonkey.net/documentation.php?locale=en#api:unsafeWindow

https://groups.google.com/g/greasemonkey-users/c/mow6fpWmIvE/m/OuJw0MYuGJoJ

The "unsafe" in "unsafeWindow" is that it exposes the privileged GM* functions to the content page: and that page could in theory do something unsavory with them. If you "@grant none" then there are no privileged GM functions (that's the whole point!), so that vector of unsafe-ness does not exist, so you don't need to worry about it. There's nothing to put in a sandbox. You also use the ambiguous phrase "without @grant and GM_xx". I take that to mean: a legacy script that does not specify any @grant line, yet does call GM_ functions. In such a case, Greasemonkey detects and acts as if there was a @grant line (with all the same legacy sandboxing). If your script gets privileged access, it lives in the sandbox that makes that safe. If it doesn't, then it doesn't.

ordonezgs commented 3 hours ago

https://issuetracker.google.com/issues/376479682

ordonezgs commented 3 hours ago

https://stackoverflow.com/a/10828021/10709288