Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Enhance meta.js detection/support #1885
See also #1884.
Greasemonkey has special support for the "userscripts.org" domain and will check for updates via their "meta.js" convention, rather than downloading the whole script.
This mechanism could be extended to work across the whole internet. I'm imagining some sort of:
I remember @erikvold suggesting this at some point. This can already be solved by setting
At this point, we should definitely make it consistent for all scripts, regardless of hosting platform.
I, personally, have always disliked that download/update URL leaked into the metadata at all. It should have always been something invisible that "just works". It's hard to put that feeling into exact words, but probably: I as a user should be able to navigate to myfavoritescripthost.example.com/ and install scripts, and get updates only from that site, because I trust it. Not whatever random site got encoded into the metadata of that script, in any update from then on forever to the future.
Or maybe that's made up nonsense? Extensions allow these values to be set (which probably how it became a Greasemonke feature?), but they have better/more strict security checks around the serving of updates and signing of the extension, etc.
I put those keys in (or at least defined their behavior). The rationale was that it is only way to insure that a script can be installed from anywhere and still check/install updates from the right place. It can be invisible, since GM uses the install url for update checks and installing updates automatically.
Who is this proposed feature targeted at? People who host static scripts on their (https) site? I guess you remove the step of setting the download/update URLs. But is that really an improvement? If they set those values and posted their script to USO (or what ever site), then when any user installs that script (from what ever site) they will still receive updates from the official source.
I trust who wrote the script and set the download/update URLs, and want to get updates from that author because I trust them.
Who does this?
Nope. Total coincidence. Guess great minds think alike haha
Yes they do, but they need to. Malicious extensions can do far more harm than malicious user scripts. Still I wish there was a more secure way to handle this.
Anyway, I'm -0.5 on this. I'm not totally against it, but a little hesitant. If we do it, I think we must keep the existing metadata keys. The cat is already out of the bag.