Safeguards against "token stealing"

[JasonBarnabe]

A common type of malware on Greasy Fork is that which takes some private aspect of the current page, like the value of a cookie or something in the DOM and sends it to a third party server. This is commonly used to steal login tokens for Discord servers, but some scripts do it for legitimate reasons as well.

I am considering putting some sort of restriction or warning like as used for @antifeature, like "This script is sending your private info to another server, we can't tell if it'll use it for good or harm". But like @antifeature, this is something that the script author would need to specify rather than something that could be detected automatically.

I'm wondering what restrictions Tampermonkey has or could have that would stop this kind of malware, or at least make the general technique detectable, like

• Restrictions on reading cookies
• Restrictions on sending data to third party servers

[7nik]

You cannot make the script less privileged than the vanilla script.

What would be nice to have is a version of the script install/update screen for users unable to read the code, which is the majority: basically display the same info as in the metadata block, but nicely formatted and with some explanation info.

[derjanb]

Restrictions on reading cookies

JavaScript and UserScripts can't read HttpOnly cookies, which are often used as login cookie, but GM_cookie can. That's why there is an option called Allow scripts to access cookies which is set to All at BETA versions and to All but protected cookies (HttpOnly) at stable versions.

How do they retrieve the login token?

Restrictions on sending data to third party servers

In order to send data via GM_xmlhttpRequest to another server scripts have to add a @connect tag. Otherwise the user is prompted to allow this request.
But if someone wants to send data from a webpage, he can also simply add an image tag with the data attached. I think there is no way to prevent this.

[JasonBarnabe]

How do they retrieve the login token?

Typically just by reading document.cookie. I don't know if the cookie is HttpOnly. For some sites, they will read from localStorage.

JavaScript and UserScripts can't read HttpOnly cookies, which are often used as login cookie, but GM_cookie can. That's why there is an option called Allow scripts to access cookies which is set to All at BETA versions and to All but protected cookies (HttpOnly) at stable versions.

To clarify, do you mean that this option allows reading HttpOnly cookies with document.cookie, with GM_cookie, or both?

[derjanb]

To clarify, do you mean that this option allows reading HttpOnly cookies with document.cookie, with GM_cookie, or both?

document.cookie never returns HttpOnly cookies. Otherwise every advertisement could steal login information. So this option controls GM_cookie only.