Changes to @grant and @inject-into
#265
Comments
|
Just as a hint, if this change causes your script to not work, for most scripts that used to work fine in For some other cases, you may be using both GM APIs and page scripts, please try to separate your script logic, manually add page scripts to the page DOM, and keep the whole script in the content script context to keep everything working. For the remaining cases, you can describe your use case and maybe we can tell you the right way to implement it. Always remember that |
|
Please add an option to "enable unsafe mode", so that Userscripts will work as they did in the prior version. After updating to v1.2.1, most of my userscripts are not working. I would happily downgrade back to v1.2.0, but unfortunately iOS doesn't let you. |
|
Can you give me an example of a userscript that worked prior but doesn't work any more? Preferably something simple? |
I don't think it's a sensible option, you can never expect users to understand the risks behind this option, most users just want it to work by default and ignore the security implications until dire consequences. Fix security bugs and steer everything towards the correct implementation. It must be a difficult process, but it's ultimately beneficial to the user. Maybe you should feedback those script authors to implement functionality in a safe way, which they can. And as mentioned above, most scripts only need to declare the corresponding metadata, or make few modifications to run in a more secure and generic way, and a few scripts that rely on non-generic features need to redesign their logic. |
|
Just for the average user, I would like to tell you the nature of these changes more simply with an analogy. These changes is not like the iOS system does not allow users to use root permissions for security or other reasons, it is more like closing a path that allows anyone to use root permissions to control you, which means it shouldn't exist at all. ('root' in this case means higher privileges) These changes does not prohibit your rights, but protects you from malicious scripts. This was never an option. |
|
The main goal of this change was to isolate the If a developer wants the expose those methods to the page context, I can't stop them from doing so, but that functionality is no longer built into the extension to do so. A motivated developer can still expose those function to the page, but the effort required to do so might be better spent elsewhere. If anyone has any suggestions on how to improve the functionality to securely give the page access to the methods (if that even exists) or how to pull the page context into the context of the content script, please do share. It is very possible that a minor change in your existing userscript will restore functionality. I apologize for the inconvenience this has caused anyone. |
|
Another note: I reverted the default |
|
@quoid Yes, as long as |
Thanks, that was the cause of the problems. Also, With these changes, will something like a Popup Blocker userscript be able to work? It overrides Example userscript: https://github.com/Eskander/ultra-popup-blocker/blob/main/src/ultra-popup-blocker.user.js Well, I'm not sure if that userscript would work either way, if synchronous |
|
@KamilTheDev I think with some proper modifications it should work, it just needs to separate out the logic of the page script in the content script context, add this part of the code as an in-line script to the page document as an alternative to I see that |
|
Is there a way to have access to GM API but also to page's context? |
|
@scholtzm The best way is to describe your use case in detail. |
|
@ACTCD I use GM_xmlhttpRequest to load cross-origin resources but I also use some globals used by the website available in the page context. This is possible in Tampermonkey and I wanted to provide the script for Userscripts users on iOS. |
|
@scholtzm Still, your use case is not clear enough, can you provide your script, or a more detailed description of what you're doing, so I might be able to help you separate out the logic. To be clear, |
|
@quoid Perhaps there could be a way to preserve This way I could have a single script for both Tampermonkey and Userscripts users. Right now, all |
Other browser extensions do this via Anyway, most scripts don't need
|
It certainly does not otherwise the same script that works in Tampermonkey would also work in Userscripts.
Then I would need to distribute 2 different scripts. I made a mistake of tagging you in my previous post, fixed it. |
This comment was marked as outdated.
This comment was marked as outdated.
|
Thank you @quoid for a thorough explanation. Your example game me another idea, how about calling Example: // ==UserScript==
// @name Test - call page from content scope
// @description This is your new file, start writing code
// @match *://*/*
// @inject-into content
// ==/UserScript==
console.log('from content', typeof $);
const code = `
console.log('from page', typeof $, $.toString());
`;
const tag = document.createElement("script");
tag.textContent = code;
document.head.appendChild(tag);
tag.remove();
Is this an OK approach to take? I might be missing some crucial detail why this is not a good idea or won't work properly. |
|
Your example looks similar to what I did, I don't see any difference. You could update the page globals through a script tag (if needed) and it would be better than my example because you don't expose the
You can still face an issue with the page CSP. If the page has a strict CSP, then whatever you inject through a script tag won't get executed. There are ways to avoid page CSP issues, one of which I believe TamperMonkey uses which is header manipulation, but as mentioned above that's not possible with Safari. Another way is by using At a higher level, the main reason we avoid |
|
@quoid I took a stab implementing it in the script but I'm not sure I can make it work. My initial idea was shortsighted and didn't account for needs in my script. Sometimes I need to retrieve value from Makes me wonder again about |
|
I am pushing a beta build that includes the above changes, if you're not on beta you can sign up from links on the bottom of the |
|
Yep, this is what I meant with my comments. Will check out the BETA build. |
|
Tested both macOS and iOS Betas and can confirm it works as expected for my use case. 👍 I'm looking forward to seeing this update in the stores for everyone else. |
|
@scholtzm after a week or so I will push to app store |
Is there any chance the release will happen in the upcoming week? |
|
@scholtzm I can submit it to today. It usually takes a day or so to get pushed as an update to users. |
|
closing this again, the latest build contains the newest changes |
|
After reading the commit related to this issue, and the source code related to adding You still use Since |
The content script scope is isolated from the page scope, they have different
Yes, that should still be done, even if not a security concern. |
|
Line 175 in e29d0a7 From what I've read in the relevant source code, there seems to be a description error here, According to the description here, |
Yes, I wrote a simple script to test, the page script can completely listen to the message sent in the content script. The instructions here also warn
|
Could you send me that script? My email is on my profile page or you could post it here EDIT: I wrote a test script as well and was able to log the messages being posted from the content script scope. However, I was not able to execute privileged APIs from the page scope, which was my main concern. This will be corrected in an update soon. |
|
The update readme text will be:
|
As long as any script is injected into the current page, even if it's just |
I should have elaborated to say, arbitrarily execute API methods. What you mention above, although unlikely, is a possibility and #315 should resolve it. |
This comment was marked as resolved.
This comment was marked as resolved.
|
I understand what you are saying and agree. This will get fixed. Feel free to email me whenever with sensitive information. |
This comment was marked as outdated.
This comment was marked as outdated.
|
@MotherOfClamperl that's a fairly old snippet and I don't believe it should work in more recent versions. |
|
@quoid yeah only just tested it on a "page" script and got this error: ...so there's no ways left to expose xmlhttpRequest at the very least? I'd like to have userscripts that have persistent data/settings without needing any additional content scripts in addition to the page script. I could just use http://localhost + fetch rest API, but the userscripts are synced to my phone, and it would suck having 0 settings in some userscripts without additional content scripts. Only way around this I could think of is running an additional server on iOS using localhost (since connecting via network (eg: http://192.168.x.x) triggers CORS with fetch, as well). But I don't think that's possible...? |
|
@MotherOfClamperl I'm not sure about your specific use case, but we don't recommend that you expose any of the GM Advanced APIs to the page script context. Refer to this demo if you need to exchange data in
|
If someone could help me with this. Link to userscript: https://greasyfork.org/scripts/38050-cf-predictor/code/CF-Predictor.user.js System Information:
|
|
It looks like your script is using |
The next patch update will change a few things, that while programmatically minor (from a development standpoint), that can change the way your userscripts work. Since I don't have discussions enabled on this repo, this issue is more of a public announcement, but comments and discussion are more than welcome. Here are the changes:
contentis the new default value for the@inject-intometadata key (i.e. if you don't include@inject-intothe value,content, will be assumed)@granthas any value,@inject-intovalues ofpageand@inject-intovalues ofautowill automatically be reverted to@inject-into content(a message will be printed to the browser console when this occurs)pagecontext, however they can not useGMapis in thepagecontextThe reason these changes are being implemented is to ensure the the
pagecontext can not gain access to the privilegedGMapis.Related issue discussion: #252
The text was updated successfully, but these errors were encountered: