-
Notifications
You must be signed in to change notification settings - Fork 417
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add an option to allow communication with cooperate pages #322
Comments
A simple example how to get the Tampermonkey version and check whether
And at the moment these functions are whitelisted to the following URLs:
Edit: updated example |
Why would you let servers to detect Tampermonkey? |
Only the pages mentioned above are able to detect Tampermonkey. This feature enables them to know whether Tampermonkey is installed. If so then there is no need to show install instructions. Examples of such a behavior are:
If a user doesn't like it then this feature can be disabled and it's also disabled by default in incognito mode.
This would require me to monitor all the pages mentioned above and release a new Tampermonkey version or to update a pre-installed userscript once a change was detected. Also the page might look different dependent on the viewer's country, A/B tests, ... |
I now understand the problem of conducting this check on client-side. I think this option should be disabled by default in any mode, but if it won't be disabled by default, inform users about this new option upon update. |
Maybe TM should show a confirmation page the first time a whitelisted site wants to get the info. With buttons to allow/disallow permanently/temporarily. |
What is Tampermonkey's behaviour if a user installs a script, the script gets renamed, then the user attempts to install again? Is the script updated or is another copy installed? Are there other attributes that could be searched for? I'm concerned about the rename case as well as the case where a user has multiple scripts with the same name. How does this work with localized script names? What is your example script waiting to happen before it can do its thing? |
If the user manually renamed a script or the author renamed it and the user installs it again before an automatic update happened, then a new copy is installed. If the script was renamed at the server, then this API allows you to query both names and display a warning. Do you know how often scripts get renamed?
Yes, I thought about using the
Tampermonkey internally handles scripts using a UUID. However, on installation (from URLs) existing scripts with the same
You always need to query for non-localized names (== the value of
Since this feature is user-configurable the content script needs to contact the background page. Unfortunately this is asynchronous communication and therefore it can not be guaranteed to be finished earlier. Edit: added |
@JasonBarnabe @Martii I've added the possibility to query by So is this interesting for you in general? |
I seriously doubt that OUJS is going to restrict clicking it more than once other than the brute force prevention. Sometimes there are unexpected failures in the pipeline and waiting a few is the only thing to do. One of my pet peeves in Chromium/Chrome is how google prevents you from reinstalling something when it's profile gets somewhat corrupted or failure to update. I still have to manually update TM in those browsers all the time... which means uninstall the current version then reinstall it from the store... you can see where I'm going with this.
That is one of my concerns... if the UID (or whatever acronym is chosen here for script signature) is constant OUJS won't know when to signal "already installed"... perhaps if a user has hand edited a script, what then... if you catch my drift. It isn't revolting or appealing right now as far as a I can tell but I may be missing some extra UI logic that you are aiming for. Proper identification is a plus for communication of this sort but as you already know another extension/add-on can wreak some havoc with that. As I noted over at the OUJS issue it won't be in our node stack but the "Content Scope" should be okay as long as another Userscript isn't messing with the results or identifiers/naming conventions (think the |
Just to be clear, I was referencing the part where you're waiting for |
Is there a way to add to the whitelist (by console if necessary)? I'd like to test this out locally before deploying anything to greasyfork.org. |
Unfortunately not. All methods to communicate with the background page (which contains the config) are asynchronous. However, I think after one second you can definitely give up waiting for Tampermonkey.
Unfortunately not, but I've build a version with localhost support. You have to drag and drop it to Chrome's extension page to install it. Edit: updated test crx URL |
A soft-notice is fine with me. I just wanted to give the script hosters a little bit more information about the user that is viewing the page. |
I implemented this on greasyfork.org. Code is at https://github.com/JasonBarnabe/greasyfork/blob/master/app/assets/javascripts/versioncheck.js |
I really like this, but I don't use congregated userscript sites. Do you think you could enable "isInstalled" for It would be pretty nice if I could detect script versions on my landing pages for userscript. |
I have to agree with @feildmaster, but I would really prefer if the whitelist goes bye-bye. I want to prevent users from tampering with the anti-cheat I have installed, and the only way to check is if Tampermonkey tells me. |
However, if this feature doesn't have a whitelist, any site can prevent user from using userscript. Maybe a better solution is enable user to control a whitelist to expose tampermonkey api. @Kio-td I don't think it is a valid reason for doing this, because there is many ways to do so. |
Can it be used to prevent userscripts? I thought it was simply a getter for data. I mean ,I guess you could code something to say "We don't like you using userscripts" but really? |
For example, a website can simply |
I see. Personally that'd put me off of using a website that is so adamant against user scripts. And for those cases I suspect it would be more convenient to have a blacklist for the API, rather than a whitelist. I still would like github.io to be whitelisted though. |
I get your points, but still, I have very vulnerable parts of the code that I'd rather not leave exposed in the open, even if I take preventative measures on my server. The only thing I can see TM being used on my server is to disable Anticheat, or to change servers, and I'm not about to take that 50/50 risk, which is why I'd rather the whitelist be gone. After all, the point of the game is to be fast, and I'm not going to have anything on there that'll slow down the game, or anything else about it, like particles. To go against your point, of course, I get that people like userscripts. But how do you check to make sure someone is not cheating, or using Automovers, or something else without this sort of feature? God, anyone can see how some games have become much shittier because of cheaters. Let's take this example to the airport, yeah? In essence, you're asking me to watch for anyone trying to run past security, instead of using metal detectors. I get it, you want to keep your glasses, iPhones and knives on your body, but it just becomes a really really dangerous and -guessish- process that can end up in disappointed clients, and worst case - lost money because of it. For these reasons, I see this as valid, mainly because I want as many preemptive measures to keep people from breaking the TOS. |
From my perspective, the only use of client side verification is better UX, so you should never trust the data sent by users by all means. |
Lets see, to address Kio with his anti-cheat now that I understand what he's doing... Clients are never to be trusted, even if you add a hell of a lot of anti-cheat methods on the client side. The best place for anti-cheat is on the server, to validate the data being sent. Now for wanting to block userscripts simply because you don't want cheaters... I'm not sure I understand really. I make scripts for games. It's usually to add in features the game developers refuse to incorporate. Do some people think it's cheating? I'm sure they do. However I never consider any of the scripts I make to be cheating. And if I understand the API any, you can't just get all of the scripts being run. You have to actually query them. You can't just say... "Tampermonkey is enabled, disable it to play the game." That just isn't... fair. |
Unfortunately this is not possible. |
It's not? That's a shame. How come? |
This allows script hosters to detect Tampermonkey and to query by name whether a script is installed.
The text was updated successfully, but these errors were encountered: