[Greasemonkey] Installing a user script via a data: url

Tony Chang tony at ponderer.org
Fri Apr 8 15:24:13 EDT 2005

On Fri, Apr 08, 2005 at 02:03:32PM -0700, Aaron Boodman wrote:
> Yeah that's sensible. Compliments on your system; my head just about
> exploded when I decoded a script and saw that it, itself, contained an
> encoded image ;-).
> Will implement your suggested change.

Hmm, so I was experimenting with this.  It's pretty easy to fool the
extension into thinking it's a .user.js file:

But when you select "install user script" and confirm the install,
greasemonkey downloads the page again rather than using what's showing. 
As it downloads the page, it loses the javascript generated code.  I
imagine the same problem exists for base64 encoded scripts.

I think mozilla patch that was sent out before mentioned fixing that

If you want to be more strict about which urls match, you could use the
regular expression in appending B of RFC2396:
But that just makes it harder to make javascript generated user scripts.


> On Apr 8, 2005 1:56 PM, Julien Couvreur <julien.couvreur at gmail.com> wrote:
> > Matt suggests to use the sidebar editor to copy & paste the generated script.
> >
> > That's definitely an option. But if we can do it, a click of a button
> > is preferrable to a copy & paste.
> >
> > Jeremy says: "How about only allowing install from data: when it's
> > from location,
> > and not from a link?"
> >
> > Actually I didn't know that you could install via a context menu on a
> > .user.js link :-$
> > I always install by loading the script first (so I can see it) and
> > then installing from the Tools menu.
> > So yes, I think that would be a good way to do it. Let me look at the
> > code some more to see how to enable the Tools menu on
> > data:text/javascript pages, without enabling it on links.
> >
> > My purpose was not to obfuscate the script, only to allow installing
> > client-side generated scripts.
> >
> > Cheers,
> > Julien

Tony Chang

More information about the Greasemonkey mailing list