Slashdot Mirror
Hacking the Web with Greasemonkey
plasticmillion writes "Greasemonkey is a revolutionary Firefox extension that many feel has enormous implications for the future evolution of the web. By making it easy to write client-side scripts that modify webpages as you surf, it shifts the balance of power from content creators to content consumers. Since its inception, it has given rise to an impressive array of scripts for everything from enhancing Gmail with one-click delete functionality to preventing Hotmail from spawning new windows when you click on external links. In recent Greasemonkey news, Mark Pilgrim just published a comprehensive primer called 'Dive Into Greasemonkey', a must-read for those who want to try their hand at writing their own scripts. It should be noted that Greasemonkey is not without controversy, but this has done nothing to reduce its popularity among web programmers. Even Opera has jumped on the bandwagon with their own version of user scripts. To illustrate the principle to /.ers, I whipped up a handy little script called 'Slashdot Live Comment Tree', which lets you expand and collapse entire threads in an article's comments."
If other articles are drawing notice to free registration for articles such as the NYT, why is this one linking to an article trying to charge $34?
"Those who cast the votes decide nothing; those who count the votes decide everything." (attrib. Joseph Stalin)
It should also be noted that the person claiming controvesy is also charging $49.00 for the "research" he has written. Do people buy these things?
Any, the summary of it reads as basically "users might install extensions that don't work with your own corporate pages". Personally, if an end user is installing applications without understanding the implications, you should ask whether that user should be allowed to install applications. The "researcher" claims that this risk should delay Firefox roll-outs in the enterprise.
Who's going to write the "Hide Roland Pipe" stories from Slashdot.
Achtung! You vill sit in ze CHAIR ven you read my book, NOT ON ZE COUCH!!!
Sieg heil!
That said, I am going to use this guide to disable Greasemonkey.
Step 1. Slashdot my own site.
Ooh, a sarcasm detector. Oh, that's a real useful invention.
Ah, good morning Mr. Ballmer.
Your serving the webpage to me.
As long as you do it in a standards compliant way, then isn't it a bit presumptious to decide how I decide to digest the information.
If I want to use Lynx to view your page, I will, if I want to apply my own java transforms on it I will.
Hell, if I want to print it out and use it as toilet paper, I will.
You seem to have the wrong way of thinking about this web lark.
liqbase
But the web is about sending content to the user - it's up to the user how they want to display it. Unles you're supplying a locked down PC with your own browser configuration you have absolutely no control over what the end user does with the content you send, or how they interpret it.
Sure you can send CSS to the broser, but your visitor using links isn't going to see the result of you work. The visitor using a screen reader or mobile phone will be equally ignorant of your efforts.
These are user installed scripts, and this is the web not television. The folk visiting sites are not their passively, they're there to interact and if they want your site to function a little differently so it better fits with their expectations what rights do you have to stop them?
I don't want them to see my site the way they want to see it. I want them to see it the way it was meant to be seen.
That's why GreaseMonkey exists. It allows firefox to do the work your eyes and hands must otherwise do - it gets you the information you're after, not what the designer fancies.
(I actually like your site design, and I think it is great you are releasing your work under the GPL and your content under a CC license)
"Those who cast the votes decide nothing; those who count the votes decide everything." (attrib. Joseph Stalin)
For several months, I labored under IE. 20 windows open everywhere, because it has no tabs. Even though I had managed to install Firefox (don't you love apps that don't require registry keys?), it was no help, because the applications department writes javascript that looks like it was squeezed from between Ballmer's asscheeks.
It was difficult. Took me two months of working with greasemonkey, of 3 minutes stolen here, and 5 minutes borrowed there in between calls (did I mention I'm only a phone monkey for a DSL ISP?). But in the end, not only can I use our main webapp in Firefox, it has features that the standard one doesn't. It often helps to shave up to a minute off of calltimes.
Which may be why I'm in trouble for using Firefox at that job. Dunno.
This seems to be another step in the battle that's as old as the web, over who gets final say as to how a web page is presented.
I feel the (Firefox) user should, and generally is going to have the edge, what with the uriid extension to apply site-specific CSS, greasemonkey, and other tools. But page producers always have wanted to dictate exactly how their pages appear to the user, however misguided that is, and I doubt the battle will ever be over.
Oh no... it's the future.
You can fix rendering bugs that the site owner can't be bothered to fix themselves.
:)
Could be useful for Slashdot then
Websites are a strange medium. Things like greasemonkey and adblock and google toolbar have been spurring these debates about content control.
I would not be suprised if this debate grew bigger as the popularity of client side controll apps gets bigger.
Alot of people want their webpage to look the way they intended it to look, but I think the truth is that you can not count on that. Different browsers, different computers, different monitors...
I am in favor of client side tools, I think that a user getting the best use possible out of a site is a good thing, in fact that is my goal when designing a website. If they think they can do it better, be my guest.
"how can they call it a MINE if everything here is THEIRS?!?!" -Straight Jacket
Your analogy is flawed. Artists have never had a right to prevent you from looking at their work in a certain way. Painters can't stop the colorblind or those wearing sunglasses to look at their paintings. Anyone can skip entire chapters when reading a book. I can play Beethoven and Britney Spears at the same time if I please.
What I do with those works in the privacy of my own home is my business. I might just prefer it that way, and there's nothing you can do about it.
Artists do have recourse against people redistributing altered ("raped") works, but that is also limited.
In the case of greasemonkey, it's just a tool you use to view the web; other people might use other tools, like lynx for example, which renders a page completely differently from firefox or internet explorer. It's personal use. So lay off of it.
SCO employee? Check out the bounty
Greasemonkey is nothing but "the easy way", but client side modification of a website has been live for years:
- Proximitron allows advanced filtering
- Specific Firefox extensions do, too (think about Slashfix)
- Bookmarklets are fairly powerful, check MODI for example
- For god's sake, there are so much differences from one browser to another one that one can tweak what he seens by changing browser
- Custom/client side CSS, Opera has had them for a very long time, Firefox has that too, and you can more than likely find bookmarklets allowing you to load custom CSS in your browser
The fact is that you seem not to know an important rule of web design: the way you indent your website to be displayed is nothing but a mere suggestion, and the surfer is 100% free to fully ignore your hints if he doesn't want itDon't want that? don't create websites. Your websites are not here for you and if they are they shouldn't be online, websites are for the visitor and he can do whatever he wants with the data he receives (including sending the whole content of your website to
"The way we can tell it's C# instead of Haskell is because it's nine lines instead of two." -- wadler
You can suggest, tell the visitor 'look, this is supposed to look like that', but ultimately the choice is the user's, just as in a book the reading order is merely a hint, if one wants to read the book backwards more power to him, and the author is not supposed to come at him with a big stick saying "no no, you're not supposed to read backwards, you can't skip pages either or i'll beat you to a bloody pulp you crackwhore", which is exactly what mfh intends to do...
"The way we can tell it's C# instead of Haskell is because it's nine lines instead of two." -- wadler
One very interesting thread has been misuse of Greasemonkey(GM). GM allow script authors to use an XML_HTTPrequest() type functionality. This is often to look up information services, such as google, de.li.ci.ous, weather etc.
With a poorly coded script, there could be thousands of http connections spawned per page transition. A DDOS of sorts. This will be an interesting one to tackle.
Any ideas out there??
[% slash_sig_val.text %]
I have a web page that runs a little javascript at the end, where it pops up an alert window, then redirects to another page. I would like to write a greasemonkey script to remove this redirection. Unfortunately, the page's javascript gets run before greasemonkeys. Any ideas about how get my greasemonkey script to run sooner?
I'm a leaf on the wind. Watch how I soar.
In order to avoid $50 articles, I found this article which did talk about some potential security problems with greasemonkey. It seems hackers could make scripts that behave maliciously. According to the article, even the original greasemonkey developer has expressed concerns along those lines.
Is this sting powerful enough to take back control of your passwords? The day that autocomplete became enforced users lost the power to manage their passwords. can GM be used to removed this directive?
"Remember, this like this never happened before this FF extension"
Bollocks. You could write bookmarklets, or user CSS files. Hell, you could disable CSS or Javascript, you could use a browser that displays things a certain way. You could write your own browser. You could use man-in-the-middle programs to rewrite code before it reaches the browser.
The web is about information. The presentation of that information is ultimately up to the user.
Having said all that, I should point out that I am somewhat uncomfortable with the blind adoption Greasemonkey is seeing. A lot of web sites use Javascript that makes assumptions about the structure of the page. By changing the structure of the page, you're going to potentially break pages that dynamically change themselves.
"Even Opera has jumped on the bandwagon with their own version of user scripts." Well, considering that Opera previewed a similar technology back in early 2003, I'm not so sure you could call that "jumping the bandwagon". But still, it's a nice edition, both to Firefox and Opera.
Hell, if I want to print it out and use it as toilet paper, I will.
Now that you've said this, everyone is going to use my site as TP. Thanks, buddy.
The dangers of knowledge trigger emotional distress in human beings.
It's not something everyone has to get all up in arms about. It's a presentation of information. If you don't like it, go somewhere else! If he chooses to display it and prevent this extension from running on his site, so be it! He's well within his rights to do such.
Of course he's within his rights. The real question is what's the benefit to him? People using greasemonkey tend to be people who know what they're doing, so if they break something on a site they'll likely be able to fix it. But just like the article, there seems to be this paranoia that greasmonkey will run rampant and ruin everyone's browsing experience.
Bah! When I go to the poster's website, you know what I see? Overlapping content because I don't run a 1024x768 window. I could fix it with greasemonkey, but that would be 'breaking' the designer's intentions.
I'm a web designer, and I truly believe that a good designer knows better than a user how things should look 95% of the time... but if a user wants to override my design choices that is fine with me. Of course my sites may end up looking up broken and discombobulated, but why should that matter to me? Anyone doing that should know why things are broken, and if not than it's not really worth my time to worry about it. I'd rather have a few idiots think I'm a shitty designer than have my fellow web hackers think I'm a control freak.
"It is nothing personal, it is just business and honestly, my paycheck, not my morals, dictate my work environment."
The second worst thing about that statement is that you sound as if you mean it.
The worst thing is that you sound as if you're proud of it.
This attitude causes most of the suffering and evil in the world. The relatively few people who actually have the goal of harming others wouldn't get very far without lots of wimps with this attitude.
(I may just be troll feeding here, but I still had to call it.)
Exam 4/C again. Maybe I'll do better this time.
"One of the most jaw dropping extensions that I have seen to date." --Anders Conbere
Check it out.
-- Scott Turner
No. Sorry. It's not your information. It doesn't belong to anyone. Those that chose to display information a certain way are in their right to do such and lame excuses to justify the bastardization of their attempts to come off a certain way are the rant of the uninformed zealot with a "screw you all" mentality. ...
It's not something everyone has to get all up in arms about. It's a presentation of information. If you don't like it, go somewhere else! If he chooses to display it and prevent this extension from running on his site, so be it! He's well within his rights to do such.
I suppose from the above statements that you're opposed to the level of control most browsers ALREADY give over the display of content? To wit, in Firefox I can go to Edit->Preferences->General, and in there override fonts and colors so that the page's fonts, font sizes, and colors aren't used. I can choose to force links to be displayed with underlines. Under Edit->Preferences->Web Features, I can override popups, javascript, image loading, etc, as well as provide exceptions to most of those... Under Edit->Preferences->Advanced, I can control the resizing of images, force links to open in new tabs, etc. Additionally, if I set up proxies, I can force all my connections to go through privoxy, blocking ads and the like. I can also choose to not install flash, making websites that use it extensively stand out pretty sorely.
All of these settings can be viewed as a bastardization of designers' attempts to display information in a certain way. And most of these settings have been around since the early 1.x days of Netscape Navigator. GreaseMonkey appears to be the logical extension of these settings to the CSS world.
All the HTML markup in the world serves a single purpose---to suggest how a browser should display something to approximate what the originator had in mind. Nothing has ever said that HTML is an imperative command to display something ONLY one way.
"The urge to save humanity is almost always a false front for the urge to rule." --H.L. Mencken
But your site looks bad on my browser, it is making assumptions about my screen that are incorrect. Why would you want to prevent me from fixing that?
Your content is not displayed on your site, it is displayed on my computer, and you don't know my local parameters. What is there to gain, for anyone, by not allowing me to adjust for a mismatch there?
What keeps me going is my inertia.
> I'm a web designer, and I truly believe that a good designer knows better
> than a user how things should look 95% of the time...
Yeah, maybe, but the *other* 97.384% of web designers *don't*. For starters, most of them are stuck in a brain-dammaged 1985-esque mindset wherein they pretend they're still working with an ink-on-paper medium. I've given up entirely on the idea of allowing websites to choose their own colors, and I've half a mind to take away their ability to choose their own layouts too, because most webmasters can't design a layout that works at different resolutions and with different text sizes if their lives depend on it.
Cut that out, or I will ship you to Norilsk in a box.
If you're writing static webpages, so what? It won't affect you.
If you're writing server-side scripting, you should already be paranoid-checking for bad user submissions. Time to double-check everything is in place.
If you're writing client-side scripts, welcome to hell. You can no longer assume anything will be where you put it, or, in fact, still exist.
What's more, you can't test your site "with greasemonkey" to see if it's OK. You have no idea what the user is going to do to your page with it.
This leaves a handful of options:
1) Make your scripts disable Greasemonkey (which will work until too many sites do it, and it's updated to allow users the final say)
2) Switch productive time fixing bugs and adding features to adding and subsequently wading through checks on every possible error condition that user scripts might make possible.
3) Ignore Greasemonkey and when the users complain your site is broken, inform them it's their own stupid fault.
My personal leaning is towards (3).
And it's not how it's supposed to work.
You can suggest, tell the visitor 'look, this is supposed to look like that', but ultimately the choice is the user's,
yes it is (the user's choice).. hasn't user-defined colors (or stylesheets in newer versions) been in graphical web browsers since pretty much the beginning?
note to webmasters: if you DONT want people to alter your page on the client-side, code it strict, use css, and leave the annoying scripts, ads, popups, ani gifs and other crap out of it.
once a site is on MY computer, i will do with it as i please. so long as i dont republish it, you can't piss and moan about it.
Despite how useful it is, I have some concern with GreaseMonkey and your browsers security.
The basic problem I see is that user scripts are plug-ins to to a plug-in. User scripts could do things that would be bad for security such as:
GreaseMonkey does not use the white list of sites allowed to install plugins and allows user scripts to be installed from just about anywhere.
I'm worried that somebody could set up a repository of user scripts that appear to do useful things but have spyware embedded in them. Users would install GreaseMonkey user scripts from the site thinking they were getting useful functionality but not realizing they were getting additional "goodies".
I don't install user scripts without knowing how they work and looking over the source myself. Preferably, I write my own. I don't see most users being able to do that sort of analysis. Hence the danger.
--Currency Calculator to Calculate Rates of Exchange for Foreign Currencies
Dev. website:r .js
http://mojodna.net/2005/04/19/mbta-maps/
Direct link to the Greasemonkey script:
http://maps.mojodna.net/mbta/mbta_google_maps.use
That reminds me of a holiday cottage I once rented in Wales. There was a note on the dining room door which said: "Please wear long trousers, not shorts, in this room."
I've been slightly nervous of the Welsh ever since..
This sig all sigs devours
Using Greasemonkey or ANY OTHER WEB CLIENT other than the one(s) the author is targetting does not make this a derived art. The original is still in its badly conceived format.
The problem here is that a large number of web "developers" believe that they can control the user's experience. The reality is that this is completely contrary to the HTML standard.
HTML is a method for giving structure to a document. CSS is a method of suggesting look-and-feel of the document. However, NOTHING prevents me from using an arbitrary web client (note: a "browser" is just one type of web client) that will display the structured document in some other way.
If you are designing a page/site in such a way that you try to force a given look-and-feel to everyone, you are limiting the usefulness of your site...not improving it.
The costly security report is just a money-making troll but there is one issue raised by greasemonkey that may worry a lot of content providers.
Blocking adverts is old hat but greasemonkey lets you do so much more. It offers you the potential to inject links to products from a rival vendor when browsing an online store or rewrite affiliate link ids on a page, to give two examples.
This is going to break a few business models.
Personally I'm not going to shed any tears. Many businesses have completely misunderstood the nature of the web and just seen hyperspace as somewhere else to stick up billboards. Those that can't evolve will die. But when you consider how upset certain people get if you want to just view their site in a manner they hadn't planned on, then we can definitely expect fireworks in the near future.
There's a very heated discussion between Cory Doctorow and Robert Scoble that touches on these issues at http://www.itconversations.com/shows/detail438.htm l about these issues, albeit in the context of Google's Autolink rather than greasemonkey.
On top of that The primary goal of a website is not to convey "art", it's to convey and publish information...
And as I (and other people) said, if I can't change the font colors, reorganize the page or whatever I want, how pissed the so called artist will be when I'll start using Links or Lynx to browse his website? or Netscape 2?
Fact is, if you want your website to be set in stone and consider it a crime for anyone to modify what he sees on his computer without any impact on whatever the other may be fed you shouldn't be creating a website in the first place.
You should be hacking rocks (even though sculptures can be broken or re-sculpted, you don't own them anymore as soon as they leave you) or painting (see above).
The feelings/emotions are supposed to be conveyed to the reader. If the reader doesn't understand/want them, what are you going to do, try to force your own sensibility on him? Nice way to make him leave forever...
"The way we can tell it's C# instead of Haskell is because it's nine lines instead of two." -- wadler
But they're not displaying their content. The client web browsers are displaying the content and they have a right to display however they please. :)
Greasemonkey scripts are bound by the same restrictions as any other javascript.
;) The wiki page (when it's back up) was something I put up when I first saw GM, because it clearly needed some sort of directory to get some momentum. It's now a stopgap until something more structured is completed. You might try delicious as another directory.
No, they aren't. They are inserted into the code of another site's pages, therefore they get local access priveleges over those pages.
I'm a dev on GM, and I'd like to shed some light.
First, yes, GM is in the same security sandbox as the page script. It does not run as local script.
The threat model of a user script is the very same as a bookmarklet, except that user scripts get injected without clicks, meaning that the user could forget about some installed script.
If someone installs an Evil(tm) script, it can run on pages that the evil person doesn't control, and provide data back to the evil person.
Note that such evil can be delivered in other ways (bookmarklets, toolbars, etc) which are trojans. You should consider every user script as a possible trojan. So yeah, don't install scripts that do evil things, and if you're not sure, don't install.
We're working on a community-policed user script directory which can confer some level of trust. It's not ready yet. We were slashdotted a little too early.
Also, Greasemonkey supplies some interesting functions to the user script context, including GM_xmlhttpRequest, which allows cross-domain page requests. Couple this with GM_setValue and GM_getValue, and a user script can indeed very effectively share data between different web apps. Before you wail in terror, note that information could be sent to evil third-party domain already by using scripted image tags, iframes, and form posts. GM only opens up an easier way to share data; it does not allow anything that's truly new in this respect.