Slashdot Mirror
Hacking the Web with Greasemonkey
plasticmillion writes "Greasemonkey is a revolutionary Firefox extension that many feel has enormous implications for the future evolution of the web. By making it easy to write client-side scripts that modify webpages as you surf, it shifts the balance of power from content creators to content consumers. Since its inception, it has given rise to an impressive array of scripts for everything from enhancing Gmail with one-click delete functionality to preventing Hotmail from spawning new windows when you click on external links. In recent Greasemonkey news, Mark Pilgrim just published a comprehensive primer called 'Dive Into Greasemonkey', a must-read for those who want to try their hand at writing their own scripts. It should be noted that Greasemonkey is not without controversy, but this has done nothing to reduce its popularity among web programmers. Even Opera has jumped on the bandwagon with their own version of user scripts. To illustrate the principle to /.ers, I whipped up a handy little script called 'Slashdot Live Comment Tree', which lets you expand and collapse entire threads in an article's comments."
It should also be noted that the person claiming controvesy is also charging $49.00 for the "research" he has written. Do people buy these things?
Any, the summary of it reads as basically "users might install extensions that don't work with your own corporate pages". Personally, if an end user is installing applications without understanding the implications, you should ask whether that user should be allowed to install applications. The "researcher" claims that this risk should delay Firefox roll-outs in the enterprise.
Who's going to write the "Hide Roland Pipe" stories from Slashdot.
Achtung! You vill sit in ze CHAIR ven you read my book, NOT ON ZE COUCH!!!
Sieg heil!
That said, I am going to use this guide to disable Greasemonkey.
Step 1. Slashdot my own site.
Ooh, a sarcasm detector. Oh, that's a real useful invention.
Ah, good morning Mr. Ballmer.
But the web is about sending content to the user - it's up to the user how they want to display it. Unles you're supplying a locked down PC with your own browser configuration you have absolutely no control over what the end user does with the content you send, or how they interpret it.
Sure you can send CSS to the broser, but your visitor using links isn't going to see the result of you work. The visitor using a screen reader or mobile phone will be equally ignorant of your efforts.
These are user installed scripts, and this is the web not television. The folk visiting sites are not their passively, they're there to interact and if they want your site to function a little differently so it better fits with their expectations what rights do you have to stop them?
For several months, I labored under IE. 20 windows open everywhere, because it has no tabs. Even though I had managed to install Firefox (don't you love apps that don't require registry keys?), it was no help, because the applications department writes javascript that looks like it was squeezed from between Ballmer's asscheeks.
It was difficult. Took me two months of working with greasemonkey, of 3 minutes stolen here, and 5 minutes borrowed there in between calls (did I mention I'm only a phone monkey for a DSL ISP?). But in the end, not only can I use our main webapp in Firefox, it has features that the standard one doesn't. It often helps to shave up to a minute off of calltimes.
Which may be why I'm in trouble for using Firefox at that job. Dunno.
This seems to be another step in the battle that's as old as the web, over who gets final say as to how a web page is presented.
I feel the (Firefox) user should, and generally is going to have the edge, what with the uriid extension to apply site-specific CSS, greasemonkey, and other tools. But page producers always have wanted to dictate exactly how their pages appear to the user, however misguided that is, and I doubt the battle will ever be over.
Oh no... it's the future.
You can fix rendering bugs that the site owner can't be bothered to fix themselves.
:)
Could be useful for Slashdot then
Websites are a strange medium. Things like greasemonkey and adblock and google toolbar have been spurring these debates about content control.
I would not be suprised if this debate grew bigger as the popularity of client side controll apps gets bigger.
Alot of people want their webpage to look the way they intended it to look, but I think the truth is that you can not count on that. Different browsers, different computers, different monitors...
I am in favor of client side tools, I think that a user getting the best use possible out of a site is a good thing, in fact that is my goal when designing a website. If they think they can do it better, be my guest.
"how can they call it a MINE if everything here is THEIRS?!?!" -Straight Jacket
Your analogy is flawed. Artists have never had a right to prevent you from looking at their work in a certain way. Painters can't stop the colorblind or those wearing sunglasses to look at their paintings. Anyone can skip entire chapters when reading a book. I can play Beethoven and Britney Spears at the same time if I please.
What I do with those works in the privacy of my own home is my business. I might just prefer it that way, and there's nothing you can do about it.
Artists do have recourse against people redistributing altered ("raped") works, but that is also limited.
In the case of greasemonkey, it's just a tool you use to view the web; other people might use other tools, like lynx for example, which renders a page completely differently from firefox or internet explorer. It's personal use. So lay off of it.
SCO employee? Check out the bounty
You can suggest, tell the visitor 'look, this is supposed to look like that', but ultimately the choice is the user's, just as in a book the reading order is merely a hint, if one wants to read the book backwards more power to him, and the author is not supposed to come at him with a big stick saying "no no, you're not supposed to read backwards, you can't skip pages either or i'll beat you to a bloody pulp you crackwhore", which is exactly what mfh intends to do...
"The way we can tell it's C# instead of Haskell is because it's nine lines instead of two." -- wadler
I have a web page that runs a little javascript at the end, where it pops up an alert window, then redirects to another page. I would like to write a greasemonkey script to remove this redirection. Unfortunately, the page's javascript gets run before greasemonkeys. Any ideas about how get my greasemonkey script to run sooner?
I'm a leaf on the wind. Watch how I soar.
In order to avoid $50 articles, I found this article which did talk about some potential security problems with greasemonkey. It seems hackers could make scripts that behave maliciously. According to the article, even the original greasemonkey developer has expressed concerns along those lines.
"Remember, this like this never happened before this FF extension"
Bollocks. You could write bookmarklets, or user CSS files. Hell, you could disable CSS or Javascript, you could use a browser that displays things a certain way. You could write your own browser. You could use man-in-the-middle programs to rewrite code before it reaches the browser.
The web is about information. The presentation of that information is ultimately up to the user.
Having said all that, I should point out that I am somewhat uncomfortable with the blind adoption Greasemonkey is seeing. A lot of web sites use Javascript that makes assumptions about the structure of the page. By changing the structure of the page, you're going to potentially break pages that dynamically change themselves.
"Even Opera has jumped on the bandwagon with their own version of user scripts." Well, considering that Opera previewed a similar technology back in early 2003, I'm not so sure you could call that "jumping the bandwagon". But still, it's a nice edition, both to Firefox and Opera.
Hell, if I want to print it out and use it as toilet paper, I will.
Now that you've said this, everyone is going to use my site as TP. Thanks, buddy.
The dangers of knowledge trigger emotional distress in human beings.
"One of the most jaw dropping extensions that I have seen to date." --Anders Conbere
Check it out.
-- Scott Turner
But your site looks bad on my browser, it is making assumptions about my screen that are incorrect. Why would you want to prevent me from fixing that?
Your content is not displayed on your site, it is displayed on my computer, and you don't know my local parameters. What is there to gain, for anyone, by not allowing me to adjust for a mismatch there?
What keeps me going is my inertia.
If you're writing static webpages, so what? It won't affect you.
If you're writing server-side scripting, you should already be paranoid-checking for bad user submissions. Time to double-check everything is in place.
If you're writing client-side scripts, welcome to hell. You can no longer assume anything will be where you put it, or, in fact, still exist.
What's more, you can't test your site "with greasemonkey" to see if it's OK. You have no idea what the user is going to do to your page with it.
This leaves a handful of options:
1) Make your scripts disable Greasemonkey (which will work until too many sites do it, and it's updated to allow users the final say)
2) Switch productive time fixing bugs and adding features to adding and subsequently wading through checks on every possible error condition that user scripts might make possible.
3) Ignore Greasemonkey and when the users complain your site is broken, inform them it's their own stupid fault.
My personal leaning is towards (3).
And it's not how it's supposed to work.
You can suggest, tell the visitor 'look, this is supposed to look like that', but ultimately the choice is the user's,
yes it is (the user's choice).. hasn't user-defined colors (or stylesheets in newer versions) been in graphical web browsers since pretty much the beginning?
note to webmasters: if you DONT want people to alter your page on the client-side, code it strict, use css, and leave the annoying scripts, ads, popups, ani gifs and other crap out of it.
once a site is on MY computer, i will do with it as i please. so long as i dont republish it, you can't piss and moan about it.
Dev. website:r .js
http://mojodna.net/2005/04/19/mbta-maps/
Direct link to the Greasemonkey script:
http://maps.mojodna.net/mbta/mbta_google_maps.use
That reminds me of a holiday cottage I once rented in Wales. There was a note on the dining room door which said: "Please wear long trousers, not shorts, in this room."
I've been slightly nervous of the Welsh ever since..
This sig all sigs devours
The costly security report is just a money-making troll but there is one issue raised by greasemonkey that may worry a lot of content providers.
Blocking adverts is old hat but greasemonkey lets you do so much more. It offers you the potential to inject links to products from a rival vendor when browsing an online store or rewrite affiliate link ids on a page, to give two examples.
This is going to break a few business models.
Personally I'm not going to shed any tears. Many businesses have completely misunderstood the nature of the web and just seen hyperspace as somewhere else to stick up billboards. Those that can't evolve will die. But when you consider how upset certain people get if you want to just view their site in a manner they hadn't planned on, then we can definitely expect fireworks in the near future.
There's a very heated discussion between Cory Doctorow and Robert Scoble that touches on these issues at http://www.itconversations.com/shows/detail438.htm l about these issues, albeit in the context of Google's Autolink rather than greasemonkey.
Greasemonkey scripts are bound by the same restrictions as any other javascript.
;) The wiki page (when it's back up) was something I put up when I first saw GM, because it clearly needed some sort of directory to get some momentum. It's now a stopgap until something more structured is completed. You might try delicious as another directory.
No, they aren't. They are inserted into the code of another site's pages, therefore they get local access priveleges over those pages.
I'm a dev on GM, and I'd like to shed some light.
First, yes, GM is in the same security sandbox as the page script. It does not run as local script.
The threat model of a user script is the very same as a bookmarklet, except that user scripts get injected without clicks, meaning that the user could forget about some installed script.
If someone installs an Evil(tm) script, it can run on pages that the evil person doesn't control, and provide data back to the evil person.
Note that such evil can be delivered in other ways (bookmarklets, toolbars, etc) which are trojans. You should consider every user script as a possible trojan. So yeah, don't install scripts that do evil things, and if you're not sure, don't install.
We're working on a community-policed user script directory which can confer some level of trust. It's not ready yet. We were slashdotted a little too early.
Also, Greasemonkey supplies some interesting functions to the user script context, including GM_xmlhttpRequest, which allows cross-domain page requests. Couple this with GM_setValue and GM_getValue, and a user script can indeed very effectively share data between different web apps. Before you wail in terror, note that information could be sent to evil third-party domain already by using scripted image tags, iframes, and form posts. GM only opens up an easier way to share data; it does not allow anything that's truly new in this respect.