[Greasemonkey] Foreign sites detecting that greasemonkey is installed

Aaron Boodman zboogs at gmail.com
Tue Apr 5 09:10:28 EDT 2005

I already make the GM_* functions local to user scripts in the last
patch I sent out to the list. However, I don't think it's possible to
prevent the host page from realizing that it has been modified in a
general way.

In a case by case base, GM could always remove the code which does the
checking. Which I think is good enough.

On Apr 5, 2005 2:07 AM, Terry Alexis Lurie <tezza2k1 at yahoo.co.uk> wrote:
> It is probably not happening yet, but it is possible for remote sites to detect that Greasemonkey
> is installed. They could then jump into different code. This code could be hidden away. The way
> it could be done is by the remote scripts calling the GM_xmlhttpRequest and seeing if it is
> defined. This will become more as more GM_ namespace scripts are added.
> there seem to be three options:
> 1. Don't care. The hinderence caused by a solution is far more than the actual threat of sites
> doing so.
> 2. Strip out calls to GM_* functions from remote scripts. They have to call a know name to access
> them, so change those to undef functions.
> 3. Salt the GM functions. This is like 'salt' in UNIX crypt. So each Firefox GM user has a 'salt'
> value displayed, which they need to add to the function name to call local functions. So
> GM_xmlhttpRequest_AXF() if the local salt is AXF. Remote scripts will not be able to detect this.
> Problems:
> 1. If they start doing this, they could ban your user before you realise. For paid subscription
> sites, with terms and conditions to the contrary, they could detect that you have violated those
> T&Cs. This is not to say that it is illegal, but they may still quietly ban your user. You would
> have very little comeback. This user access may be paid by your company [a la Delphion.com]. You
> will have to explain to your boss why you got their corporate account banned.
> 2. Scripts may be able to checksum themselves and stop working, squeal if they fail.
> 3. Scripts will be less portable between users. It is also just a damn pain. One solution would
> be to have Greasemonkey itself secretly change the function calls WITH the salt before injecting
> it into the page.
> So bearing in mind 3., it would be nice to have salted GM_* calls for local scripts.
> Thoughts??
> Terry.
> ------------------------------------------------------------
> Terry Alexis Lurie          | 'Something witty that doesn't
> Freelance Computer Engineer |  look good with variable
> United Kingdom              |  width fonts' - Most nerds
> _______________________________________________
> Greasemonkey mailing list
> Greasemonkey at mozdev.org
> http://mozdev.org/mailman/listinfo/greasemonkey

More information about the Greasemonkey mailing list