Security concerns

[why the lucky stiff]

I'm really concerned about MouseHole's security.  To a degree, user 
scripts are inherently granted permissions and open the user to attack 
(just as a downloaded executable can do any damage it pleases.)

Anyway, here are the security concerns that need to be addressed:

* Installed user scripts: are they allowed to do anything at all once 
the user has authorized installation?  Or should they be forced to state 
their intentions? "Hi, I require at least $SAFE = 2!"
* Uninstalled user scripts which are loaded for metadata scanning: are 
allowed to do nothing at all!
* Javascript access to MouseHole: A MouseHole script injects Javascript 
into a page and that Javascript needs to store data back inside 
MouseHole.  Uhh, this exposes MouseHole to possible attack from other 
Javascripts.  What APIs do we allow Javascript to access.  (You don't 
want a rogue Javascript deactivating all your scripts or wiping out your 
configurations, right?)
* Javascript cross-site access: A MouseHole script injects Javascript 
into a page and that Javascript needs to pass data to another domain 
(normally a JS failure.)
** So, if we're on boingboing and we want to access metafilter.. 
http://boingboing.net/http://metafilter.com/api/post.  That opens a 
security hole (the same one Greasemonkey just bumped up on.)
** Instead, we could have the MouseHole script register URLs before 
hand: register_url("http://metafilter.com/api/post")
** Then, the script is given a hash to access that domain.  (Or is 
allowed access to it through 
http://boingboing.net/http://metafilter.com/api/post.)
** Or, just a whitelist with regexps.

I'm sure there are other security issues.  We'll start with these, though.

_why