I agree. It's clear that the GM authors didn't take a principled stance on security, and the ad hoc way in which features have been added has led to the current state. It was obvious that they were getting into dangerous waters when they created GM_* equivalents for functions like XMLHttpRequest in order to get around the existing Mozilla security model.
Sentences like "Unlike the XMLHttpRequest object, GM_xmlhttpRequest is not restricted to the current domain; it can GET or POST data from any URL" (from Dive Into Greasemonkey) should have been ringing warning bells considerably earlier than they did.
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
Sentences like "Unlike the XMLHttpRequest object, GM_xmlhttpRequest is not restricted to the current domain; it can GET or POST data from any URL" (from Dive Into Greasemonkey) should have been ringing warning bells considerably earlier than they did.