[Greasemonkey] Foreign sites detecting that greasemonkey is installed

Terry Alexis Lurie tezza2k1 at yahoo.co.uk
Tue Apr 5 11:07:36 EDT 2005


It is probably not happening yet, but it is possible for remote sites to detect that Greasemonkey
is installed. They could then jump into different code. This code could be hidden away. The way
it could be done is by the remote scripts calling the GM_xmlhttpRequest and seeing if it is
defined. This will become more as more GM_ namespace scripts are added.

there seem to be three options:

1. Don't care. The hinderence caused by a solution is far more than the actual threat of sites
doing so.

2. Strip out calls to GM_* functions from remote scripts. They have to call a know name to access
them, so change those to undef functions.

3. Salt the GM functions. This is like 'salt' in UNIX crypt. So each Firefox GM user has a 'salt'
value displayed, which they need to add to the function name to call local functions. So
GM_xmlhttpRequest_AXF() if the local salt is AXF. Remote scripts will not be able to detect this.

Problems:

1. If they start doing this, they could ban your user before you realise. For paid subscription
sites, with terms and conditions to the contrary, they could detect that you have violated those
T&Cs. This is not to say that it is illegal, but they may still quietly ban your user. You would
have very little comeback. This user access may be paid by your company [a la Delphion.com]. You
will have to explain to your boss why you got their corporate account banned.

2. Scripts may be able to checksum themselves and stop working, squeal if they fail.

3. Scripts will be less portable between users. It is also just a damn pain. One solution would
be to have Greasemonkey itself secretly change the function calls WITH the salt before injecting
it into the page.

So bearing in mind 3., it would be nice to have salted GM_* calls for local scripts.

Thoughts??

Terry.

------------------------------------------------------------
Terry Alexis Lurie          | 'Something witty that doesn't
Freelance Computer Engineer |  look good with variable
United Kingdom              |  width fonts' - Most nerds


More information about the Greasemonkey mailing list