[Greasemonkey] Installing a user script via a data: url
tony at ponderer.org
Fri Apr 8 15:24:13 EDT 2005
On Fri, Apr 08, 2005 at 02:03:32PM -0700, Aaron Boodman wrote:
> Yeah that's sensible. Compliments on your system; my head just about
> exploded when I decoded a script and saw that it, itself, contained an
> encoded image ;-).
> Will implement your suggested change.
Hmm, so I was experimenting with this. It's pretty easy to fool the
extension into thinking it's a .user.js file:
But when you select "install user script" and confirm the install,
greasemonkey downloads the page again rather than using what's showing.
imagine the same problem exists for base64 encoded scripts.
I think mozilla patch that was sent out before mentioned fixing that
If you want to be more strict about which urls match, you could use the
regular expression in appending B of RFC2396:
> On Apr 8, 2005 1:56 PM, Julien Couvreur <julien.couvreur at gmail.com> wrote:
> > Matt suggests to use the sidebar editor to copy & paste the generated script.
> > That's definitely an option. But if we can do it, a click of a button
> > is preferrable to a copy & paste.
> > Jeremy says: "How about only allowing install from data: when it's
> > from location,
> > and not from a link?"
> > Actually I didn't know that you could install via a context menu on a
> > .user.js link :-$
> > I always install by loading the script first (so I can see it) and
> > then installing from the Tools menu.
> > So yes, I think that would be a good way to do it. Let me look at the
> > code some more to see how to enable the Tools menu on
> > My purpose was not to obfuscate the script, only to allow installing
> > client-side generated scripts.
> > Cheers,
> > Julien
More information about the Greasemonkey