New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enhance meta.js detection/support #1885
Comments
I remember @erikvold suggesting this at some point. This can already be solved by setting |
At this point, we should definitely make it consistent for all scripts, regardless of hosting platform. I, personally, have always disliked that download/update URL leaked into the metadata at all. It should have always been something invisible that "just works". It's hard to put that feeling into exact words, but probably: I as a user should be able to navigate to myfavoritescripthost.example.com/ and install scripts, and get updates only from that site, because I trust it. Not whatever random site got encoded into the metadata of that script, in any update from then on forever to the future. Or maybe that's made up nonsense? Extensions allow these values to be set (which probably how it became a Greasemonke feature?), but they have better/more strict security checks around the serving of updates and signing of the extension, etc. |
I put those keys in (or at least defined their behavior). The rationale was that it is only way to insure that a script can be installed from anywhere and still check/install updates from the right place. It can be invisible, since GM uses the install url for update checks and installing updates automatically. Who is this proposed feature targeted at? People who host static scripts on their (https) site? I guess you remove the step of setting the download/update URLs. But is that really an improvement? If they set those values and posted their script to USO (or what ever site), then when any user installs that script (from what ever site) they will still receive updates from the official source.
I trust who wrote the script and set the download/update URLs, and want to get updates from that author because I trust them.
Who does this?
Nope. Total coincidence. Guess great minds think alike haha
Yes they do, but they need to. Malicious extensions can do far more harm than malicious user scripts. Still I wish there was a more secure way to handle this. Anyway, I'm -0.5 on this. I'm not totally against it, but a little hesitant. If we do it, I think we must keep the existing metadata keys. The cat is already out of the bag. |
Unrelated but I don't know where else to put it: OpenUserJS.org is now https-only, so you can update this page (I'd do it but I can't login for some reason). |
Done! |
Email me please. I'd like to make sure this works, and I'm not accidentally shutting the world off from updating the wiki. (Batttling spam on a wiki ....) |
It works. I just guessed the wrong password. Sorry for the inconvenience. |
See also #1884.
Greasemonkey has special support for the "userscripts.org" domain and will check for updates via their "meta.js" convention, rather than downloading the whole script.
This mechanism could be extended to work across the whole internet. I'm imagining some sort of:
The text was updated successfully, but these errors were encountered: