Skip to content

v3.16.0

Choose a tag to compare

@SysAdminDoc SysAdminDoc released this 02 Jul 22:57

Deep engineering + product-quality audit pass.

Security

  • GM networking bound to the authenticated caller. GM_xmlhttpRequest / GM_webSocket / GM_download, GM_getResourceText/URL, GM_loadScript, and menu register/unregister used the caller-supplied script id, letting one userscript borrow another's @connect allowlist or read its @resource bodies. All now use Chrome's unspoofable sender.userScriptId.
  • Attribute-injection XSS in the dependency graph and other panels (quote-unescaping escapers) fixed.

Data safety

  • Cloud sync no longer permanently re-deletes restored-from-trash scripts (the tombstone-resurrection guard was dead code).
  • Trash restore persists the script before emptying the trash entry (no loss on a service-worker crash).
  • Backup restore no longer wipes per-script settings (match rules, notes, tags, pin) of installed scripts.

Correctness

  • Chrome no longer misdetected as Firefox — restores per-script world isolation on Chrome 133+ and the correct setup instructions.
  • Editor no longer swallows the first keystroke after a tab switch; cursor Ln/Col updates instead of freezing.
  • New Script / Duplicate / New Folder report failures instead of silently doing nothing.
  • Storage meter measures real usage; Find Scripts pagination works again.

Full detail in CHANGELOG.md; ~13 additional verified findings are tracked in ROADMAP.md.