Slashdot Mirror
Hacking the Web with Greasemonkey
plasticmillion writes "Greasemonkey is a revolutionary Firefox extension that many feel has enormous implications for the future evolution of the web. By making it easy to write client-side scripts that modify webpages as you surf, it shifts the balance of power from content creators to content consumers. Since its inception, it has given rise to an impressive array of scripts for everything from enhancing Gmail with one-click delete functionality to preventing Hotmail from spawning new windows when you click on external links. In recent Greasemonkey news, Mark Pilgrim just published a comprehensive primer called 'Dive Into Greasemonkey', a must-read for those who want to try their hand at writing their own scripts. It should be noted that Greasemonkey is not without controversy, but this has done nothing to reduce its popularity among web programmers. Even Opera has jumped on the bandwagon with their own version of user scripts. To illustrate the principle to /.ers, I whipped up a handy little script called 'Slashdot Live Comment Tree', which lets you expand and collapse entire threads in an article's comments."
already been done
see how much people dislike that geeza ? if this was a pub he would of been slapped up and kicked out a long time ago
In order to avoid $50 articles, I found this article which did talk about some potential security problems with greasemonkey. It seems hackers could make scripts that behave maliciously. According to the article, even the original greasemonkey developer has expressed concerns along those lines.
"One of the most jaw dropping extensions that I have seen to date." --Anders Conbere
Check it out.
-- Scott Turner
Dev. website:r .js
http://mojodna.net/2005/04/19/mbta-maps/
Direct link to the Greasemonkey script:
http://maps.mojodna.net/mbta/mbta_google_maps.use
Greasemonkey scripts are bound by the same restrictions as any other javascript.
;) The wiki page (when it's back up) was something I put up when I first saw GM, because it clearly needed some sort of directory to get some momentum. It's now a stopgap until something more structured is completed. You might try delicious as another directory.
No, they aren't. They are inserted into the code of another site's pages, therefore they get local access priveleges over those pages.
I'm a dev on GM, and I'd like to shed some light.
First, yes, GM is in the same security sandbox as the page script. It does not run as local script.
The threat model of a user script is the very same as a bookmarklet, except that user scripts get injected without clicks, meaning that the user could forget about some installed script.
If someone installs an Evil(tm) script, it can run on pages that the evil person doesn't control, and provide data back to the evil person.
Note that such evil can be delivered in other ways (bookmarklets, toolbars, etc) which are trojans. You should consider every user script as a possible trojan. So yeah, don't install scripts that do evil things, and if you're not sure, don't install.
We're working on a community-policed user script directory which can confer some level of trust. It's not ready yet. We were slashdotted a little too early.
Also, Greasemonkey supplies some interesting functions to the user script context, including GM_xmlhttpRequest, which allows cross-domain page requests. Couple this with GM_setValue and GM_getValue, and a user script can indeed very effectively share data between different web apps. Before you wail in terror, note that information could be sent to evil third-party domain already by using scripted image tags, iframes, and form posts. GM only opens up an easier way to share data; it does not allow anything that's truly new in this respect.