In his demo, Joe lists his private key in the user script source.
Please do not put private information into user script source code, yet.
We're thinking about ways to run user scripts completely separate from the DOM, which would prevent this sniffing from being possible, but it doesn't exist yet. I'll post again here when that happens.
- browser content window is the global object
- script runs in same security context as browser content is currently running in
- we have the ability to add other global objects of our choosing