Greasemonkey update brings important security changes
Firefox script manager Greasemonkey has been updated to version 2.0 with some important security tweaks.
The add-on now finally defaults to the unprivileged mode introduced in Greasemonkey 1.0, which means scripts must explicitly request the APIs they need with @grant. The developers say this shouldn’t pose a problem, as "many if not most or all scripts" work this way already, and the change won’t immediately affect installed scripts anyway. But if you then update, edit or reinstall a script which doesn’t follow the rules, it’ll probably break.
Similarly, the sandbox has been updated to match Firefox Add-on SDK, and will no longer be able to use unsafeWindow to make JavaScript objects available. Translated, it’s another low-level change which may also break existing scripts, but Greasemonkey’s developers say it will improve "stability, reliability and security", while script developers can still access unsafeWindow with the new methods cloneInto(), exportFunction(), and/or createObjectIn().
Elsewhere, new support for reading a meta.js file from any website should make it easier to detect and download script updates (although it’ll take some time before it’s widely used).
Firefox Sync support is now turned on by default, and shouldn’t display unnecessary prompts if a master password is set.
References and links to the broken and almost entirely useless userscripts.org will at last be ditched.
Greasemonkey 2.0 also fixes a range of bugs. We didn’t spot anything that seemed too significant, but if you’re interested, the 2.0 milestone on GitHub will give you all the low-level details.
As we write, the Firefox add-on site is still displaying Greasemonkey 1.15. It should catch up soon, but if you can’t wait, try installing 2.0 beta 2 from the Development Channel section.