Slashdot Mirror
Hacking the Web with Greasemonkey
plasticmillion writes "Greasemonkey is a revolutionary Firefox extension that many feel has enormous implications for the future evolution of the web. By making it easy to write client-side scripts that modify webpages as you surf, it shifts the balance of power from content creators to content consumers. Since its inception, it has given rise to an impressive array of scripts for everything from enhancing Gmail with one-click delete functionality to preventing Hotmail from spawning new windows when you click on external links. In recent Greasemonkey news, Mark Pilgrim just published a comprehensive primer called 'Dive Into Greasemonkey', a must-read for those who want to try their hand at writing their own scripts. It should be noted that Greasemonkey is not without controversy, but this has done nothing to reduce its popularity among web programmers. Even Opera has jumped on the bandwagon with their own version of user scripts. To illustrate the principle to /.ers, I whipped up a handy little script called 'Slashdot Live Comment Tree', which lets you expand and collapse entire threads in an article's comments."
By making it easy to write client-side scripts that modify webpages as you surf, it shifts the balance of power from content creators to content consumers.
Google has tried something similar before with their toolbar and ISBNs.
That said, I am going to use this guide to disable Greasemonkey. I write websites so I can present ideas to people. I don't want them to see my site the way they want to see it. I want them to see it the way it was meant to be seen. That way I can provide content based on expectations of standards compliance.
If you want to display my content with your own formatting, use my RSS feed.
The dangers of knowledge trigger emotional distress in human beings.
If other articles are drawing notice to free registration for articles such as the NYT, why is this one linking to an article trying to charge $34?
"Those who cast the votes decide nothing; those who count the votes decide everything." (attrib. Joseph Stalin)
It should also be noted that the person claiming controvesy is also charging $49.00 for the "research" he has written. Do people buy these things?
Any, the summary of it reads as basically "users might install extensions that don't work with your own corporate pages". Personally, if an end user is installing applications without understanding the implications, you should ask whether that user should be allowed to install applications. The "researcher" claims that this risk should delay Firefox roll-outs in the enterprise.
Who's going to write the "Hide Roland Pipe" stories from Slashdot.
For several months, I labored under IE. 20 windows open everywhere, because it has no tabs. Even though I had managed to install Firefox (don't you love apps that don't require registry keys?), it was no help, because the applications department writes javascript that looks like it was squeezed from between Ballmer's asscheeks.
It was difficult. Took me two months of working with greasemonkey, of 3 minutes stolen here, and 5 minutes borrowed there in between calls (did I mention I'm only a phone monkey for a DSL ISP?). But in the end, not only can I use our main webapp in Firefox, it has features that the standard one doesn't. It often helps to shave up to a minute off of calltimes.
Which may be why I'm in trouble for using Firefox at that job. Dunno.
You know you need to disable those default scripts that come with the extension, right?
Or at least set them so they don't execute on that particular site...
You can fix rendering bugs that the site owner can't be bothered to fix themselves.
:)
Could be useful for Slashdot then
Websites are a strange medium. Things like greasemonkey and adblock and google toolbar have been spurring these debates about content control.
I would not be suprised if this debate grew bigger as the popularity of client side controll apps gets bigger.
Alot of people want their webpage to look the way they intended it to look, but I think the truth is that you can not count on that. Different browsers, different computers, different monitors...
I am in favor of client side tools, I think that a user getting the best use possible out of a site is a good thing, in fact that is my goal when designing a website. If they think they can do it better, be my guest.
"how can they call it a MINE if everything here is THEIRS?!?!" -Straight Jacket
Just publish your site as a collection of image files.
That'll teach them young whipper-snappers!
Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
One very interesting thread has been misuse of Greasemonkey(GM). GM allow script authors to use an XML_HTTPrequest() type functionality. This is often to look up information services, such as google, de.li.ci.ous, weather etc.
With a poorly coded script, there could be thousands of http connections spawned per page transition. A DDOS of sorts. This will be an interesting one to tackle.
Any ideas out there??
[% slash_sig_val.text %]
I have a web page that runs a little javascript at the end, where it pops up an alert window, then redirects to another page. I would like to write a greasemonkey script to remove this redirection. Unfortunately, the page's javascript gets run before greasemonkeys. Any ideas about how get my greasemonkey script to run sooner?
I'm a leaf on the wind. Watch how I soar.
In order to avoid $50 articles, I found this article which did talk about some potential security problems with greasemonkey. It seems hackers could make scripts that behave maliciously. According to the article, even the original greasemonkey developer has expressed concerns along those lines.
It does, basically user scripts (Greasemonkey or Opera) are bookmarklets automatically executing when you browse a specific site (pattern matching allows the browser to execute the userscript that should be upon entering the website).
Oh, and there is no limit in a user script size, which isn't the case of a bookmarklet (even though you can execute external scripts from a bookmarklet)
"The way we can tell it's C# instead of Haskell is because it's nine lines instead of two." -- wadler
Is this sting powerful enough to take back control of your passwords? The day that autocomplete became enforced users lost the power to manage their passwords. can GM be used to removed this directive?
It looks like this was a partial example of the problem sitting between chair and screen.
The particlar site is using iframes and GreaseMonkey summarily hides those tags in its default configuration. Excluding the site manually brings it back to life.
However, this means GreaseMonkey becomes thus a Geek-only tool. I can not ask of my mother or wife to know about such problems and manually configure exceptions if things don't work.
Markus
"Even Opera has jumped on the bandwagon with their own version of user scripts." Well, considering that Opera previewed a similar technology back in early 2003, I'm not so sure you could call that "jumping the bandwagon". But still, it's a nice edition, both to Firefox and Opera.
Hell, if I want to print it out and use it as toilet paper, I will.
Now that you've said this, everyone is going to use my site as TP. Thanks, buddy.
The dangers of knowledge trigger emotional distress in human beings.
"It is nothing personal, it is just business and honestly, my paycheck, not my morals, dictate my work environment."
The second worst thing about that statement is that you sound as if you mean it.
The worst thing is that you sound as if you're proud of it.
This attitude causes most of the suffering and evil in the world. The relatively few people who actually have the goal of harming others wouldn't get very far without lots of wimps with this attitude.
(I may just be troll feeding here, but I still had to call it.)
Exam 4/C again. Maybe I'll do better this time.
If someone can't view your site as influenced by some Greasemonkey script or another, it's their fault and their problem. Not yours. You go ahead and provide standards-compliant, semantic markup, and folks'll use it as-is or filter it through something like Greasemonkey.
What's next---are you going to tell people they can't visit your site using lynx, or with images turned off, or that they can't change their font size, so they'll have to squint like everyone else?
What's the point of making it harder on your users, of taking away functionality from them?
--grendel drago
Laws do not persuade just because they threaten. --Seneca
Reading the referenced blog entry, there is a good point to be made where GM breaks sites. The point of standard compliance is that consumers are free to see the output that the producers intended, not that consumers would be forced into one way of working, and enjoying content. Now, so long as the default behaviour (i.e. no GM installed) is fully compatible, this doesn't seem to be a problem. (Maybe linkify should be disabled by default.) We need to ensure that users know what modifications they are making to how websites display, and also know how to add to blacklists and stuff to solve the problem when things go wrong. We shouldn't just categorise this as a consumer vs producer struggle - that's just silly. GM script writers and website owners should be working together, to benefit the user. 1. User scripts need some sort of verification process. Something to guarantee safety, to the casual user. Perhaps some centralised list of checksums for 'certified' user scripts. 2. Websites should be able to check for what user scripts are installed. Not so as to ban them, but to provide a message that 'The scripts you are using are known to be incompatible. For optimal results, please turn them off.'
"One of the most jaw dropping extensions that I have seen to date." --Anders Conbere
Check it out.
-- Scott Turner
At that price, I think I'll bye the research.
One line blog. I hear that they're called Twitters now.
"Or, is my exam fragmented brain missing something that should be obvious?"
I don't know for sure, but it seems obvious to me.
The "Executive Summary" is so full of unsubstatiated assumptions and blatant slant that it is unlikely that the "research" would actually contain any real information.
(I suspect that this kind of "research" is used to support forgone conclusions that need a little extra credibility to show the ignorant.)
Exam 4/C again. Maybe I'll do better this time.
Make every single page one colossal image with an image map for links! That way there's not much the user can do, and you are victorious in your subjugation! Or: relax.
http://www.softwareconsult.dk
If you're writing static webpages, so what? It won't affect you.
If you're writing server-side scripting, you should already be paranoid-checking for bad user submissions. Time to double-check everything is in place.
If you're writing client-side scripts, welcome to hell. You can no longer assume anything will be where you put it, or, in fact, still exist.
What's more, you can't test your site "with greasemonkey" to see if it's OK. You have no idea what the user is going to do to your page with it.
This leaves a handful of options:
1) Make your scripts disable Greasemonkey (which will work until too many sites do it, and it's updated to allow users the final say)
2) Switch productive time fixing bugs and adding features to adding and subsequently wading through checks on every possible error condition that user scripts might make possible.
3) Ignore Greasemonkey and when the users complain your site is broken, inform them it's their own stupid fault.
My personal leaning is towards (3).
I won't pay $49 to find out what the controversy is all about, but Greasemonkey sounds good enough to download and try out.
Despite how useful it is, I have some concern with GreaseMonkey and your browsers security.
The basic problem I see is that user scripts are plug-ins to to a plug-in. User scripts could do things that would be bad for security such as:
GreaseMonkey does not use the white list of sites allowed to install plugins and allows user scripts to be installed from just about anywhere.
I'm worried that somebody could set up a repository of user scripts that appear to do useful things but have spyware embedded in them. Users would install GreaseMonkey user scripts from the site thinking they were getting useful functionality but not realizing they were getting additional "goodies".
I don't install user scripts without knowing how they work and looking over the source myself. Preferably, I write my own. I don't see most users being able to do that sort of analysis. Hence the danger.
--Currency Calculator to Calculate Rates of Exchange for Foreign Currencies
Dev. website:r .js
http://mojodna.net/2005/04/19/mbta-maps/
Direct link to the Greasemonkey script:
http://maps.mojodna.net/mbta/mbta_google_maps.use
Make every single page one colossal image with an image map for links!
Funny you should mention that. My first introduction to FrontPage was working on a non-profit website. They wanted me to make some "quick changes" to their site. I looked at their site-- it was a GIANT IMAGE of a webpage (text and all), with image maps and rollovers for links. The page could have been laid out with tables with no problems (this was in the ugly days before the DOM and CSS), but their previous web designer opted for this lame method.
So, it is a method that has been used before. Damn the unpredictable nature of the web! Double-damn user control!
Microsoft is to software what Budweiser is to beer.
...I love FireFox and it's programmers. If only some companies displayed half the amount of ingenuity.
Patriotism is a virtue of the vicious
Using Greasemonkey or ANY OTHER WEB CLIENT other than the one(s) the author is targetting does not make this a derived art. The original is still in its badly conceived format.
The problem here is that a large number of web "developers" believe that they can control the user's experience. The reality is that this is completely contrary to the HTML standard.
HTML is a method for giving structure to a document. CSS is a method of suggesting look-and-feel of the document. However, NOTHING prevents me from using an arbitrary web client (note: a "browser" is just one type of web client) that will display the structured document in some other way.
If you are designing a page/site in such a way that you try to force a given look-and-feel to everyone, you are limiting the usefulness of your site...not improving it.
Great. Now when client call with complaints that data is either being corrupted via contact form or I can honestly look them in the eye and say, "It's the users fault!"
Karma means nothing to me, so suck it...
We now know that All Peers are infected with the 12 Grease monkeys.
James Cole
In order to form an immaculate member of a flock of sheep one must, above all, be a sheep.
The costly security report is just a money-making troll but there is one issue raised by greasemonkey that may worry a lot of content providers.
Blocking adverts is old hat but greasemonkey lets you do so much more. It offers you the potential to inject links to products from a rival vendor when browsing an online store or rewrite affiliate link ids on a page, to give two examples.
This is going to break a few business models.
Personally I'm not going to shed any tears. Many businesses have completely misunderstood the nature of the web and just seen hyperspace as somewhere else to stick up billboards. Those that can't evolve will die. But when you consider how upset certain people get if you want to just view their site in a manner they hadn't planned on, then we can definitely expect fireworks in the near future.
There's a very heated discussion between Cory Doctorow and Robert Scoble that touches on these issues at http://www.itconversations.com/shows/detail438.htm l about these issues, albeit in the context of Google's Autolink rather than greasemonkey.
You are absolutely correct. A web browser is a tool for displaying data from an unknown - and therefore untrusted - source, namely the Web. It should never freeze, crash or overflow, no matter what garbage is fed to it.
If Firefox indeed does crash when attempting to view this web page, then this issue needs to be fixed immediately, since not fixing it makes Firefox untrustworthy and thereby completely useless.
Naturally, the same goes to any Net facing app. If the input comes from untrusted source, then it must be considered potentially malicious, and treated with appropriate paranoia.
Forget magic. Any technology distinguishable from divine power is insufficiently advanced.
"...it shifts the balance of power from content creators to content consumers."
Shouldn't that be back to content consumers? Am I mis-remembering, or wasn't there once a time when Web browsers had built-in functionality to actually let users customize how certain tags got rendered in the browser window (fonts, colors, etc.)?
Possible, yes, probably, easily I doubt it, GM is heavy Javascript/DOM tuning. You can find Greasemonkey on The Extensions Mirror BTW, and you may want to check Platypus, which is basically an "interface" to Greasemonkey (allows you to modify a website, and if you need it you can save your modifications as a GM script)
"The way we can tell it's C# instead of Haskell is because it's nine lines instead of two." -- wadler
Forrester is another Beantown research company (and not a particularly good one, IMHO) focused on tech. Some of there reports run into the thousands of dollars, so this one's a cheapy by their standards.
As GreaseMonkey.MozDev.Org is slashdotted, here's the obligitory link to get Greasemonkey:
Install/Download GreaseMonkey
Enjoy!
DouglasK Do Justly. Love Mercy. Walk humbly with your God.
When on IMDB, I want a button that lets me queue the movie I am currently viewing in Netflix.
This might exceed the scope of what's possible with GreaseMonkey. Any movie-maniac/programmer-maniac takers?
-Clio
Karma: Bad (mostly from not giving a fuck)
Blog: http://clintjcl.wordpress.com
which article costs money to read?
This one. In the slashot story it is the link on the word "controversy".
There's a one paragraph blurb claiming "But IT managers beware: Greasemonkey will cause you nothing but headaches, and may even be a good reason to delay that Firefox pilot you're planning", but giving absolutely no reason. If you look on the right it says:
Buy this research
Price: US$49.00
Report Length: 3 pages
I really don't think Slashdot should bother linking to a page with absolutely NO information on it and requesting a payment to get info.
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
On a more serious note, the site does have some problems when viewed by links/lynx - the navigation is totally invisible to a text based browser, or a screen reader used by a disabled person.
see http://jayloden.com/scottleonard.png for a screenshot of what you'd get in a text based browser.
This is the problem with jscript DHTML menus, they're no good if you intend compatibility with accessibility standards or text browsing.
-Jay
The point of a website can be different for its producer than for its consumer. The producer's point could be to express themself, which requires consumption in exactly the style they publish. The consumer's point could be to get the factual information, regardless of its presentation style, or even for restyled representation. The fact that most web content is inseparable from its presentation style means that you, the graphic designer, are necessary for both points, even if the consumer doesn't share the "style" point.
The "point" it seems that you are missing is that the value of the webpage to the consumer can exclude *you*, even if you don't like that.
--
make install -not war
Greasemonkey scripts are bound by the same restrictions as any other javascript.
;) The wiki page (when it's back up) was something I put up when I first saw GM, because it clearly needed some sort of directory to get some momentum. It's now a stopgap until something more structured is completed. You might try delicious as another directory.
No, they aren't. They are inserted into the code of another site's pages, therefore they get local access priveleges over those pages.
I'm a dev on GM, and I'd like to shed some light.
First, yes, GM is in the same security sandbox as the page script. It does not run as local script.
The threat model of a user script is the very same as a bookmarklet, except that user scripts get injected without clicks, meaning that the user could forget about some installed script.
If someone installs an Evil(tm) script, it can run on pages that the evil person doesn't control, and provide data back to the evil person.
Note that such evil can be delivered in other ways (bookmarklets, toolbars, etc) which are trojans. You should consider every user script as a possible trojan. So yeah, don't install scripts that do evil things, and if you're not sure, don't install.
We're working on a community-policed user script directory which can confer some level of trust. It's not ready yet. We were slashdotted a little too early.
Also, Greasemonkey supplies some interesting functions to the user script context, including GM_xmlhttpRequest, which allows cross-domain page requests. Couple this with GM_setValue and GM_getValue, and a user script can indeed very effectively share data between different web apps. Before you wail in terror, note that information could be sent to evil third-party domain already by using scripted image tags, iframes, and form posts. GM only opens up an easier way to share data; it does not allow anything that's truly new in this respect.
... so yesterday I installed greasemonkey with the gmail delete script.
Today I'm locked out of gmail for a suspected breach of T&C. (yep, a 'lockdown in sector 4!')
I contacted gmail and they have unlocked me, but I wonder if it's related?
--- cut: Eat well, exercise, die anyway.