[Greasemonkey] Question: what would happen if Greasemonkey sentthe ID of every applicable user script with each request?

Michael Bierman greasemonkey at thebiermans.net
Fri Apr 29 17:29:28 EDT 2005

"I'd recommend we move forward with a header, allow the paranoid user to
disable it and wait for the reactions of the publishers."  

Sounds like a good suggestion to me.  I'd like to think web publishers will
react in the former fashion described below, but since there is sometimes
money at stake for them, there is good reason to suspect they will react in
the latter fashion.  A user preference would work--perhaps allow black or
white lists so the user can decide if he/she wants to report to some sites,
but not all.  This allows users to provide feedback to those sites that are
GM friendly and not to others.

Michael Bierman

-----Original Message-----
From: Julien Couvreur

On 4/28/05, Aaron Boodman <zboogs at gmail.com> wrote:
> Ok, my point is not really getting across here. I'll try once more and 
> then give up.

Please don't give up :-$
Like I said before
(http://www.mozdev.org/pipermail/greasemonkey/2005-April/001346.html ) I
think such a header is a good idea! (mostly for "intelligence"
purpose for publishers, but not for them to take any action like not serving
the page or modifying the content).

I think the most interesting thing that publishers can do with the
information is: look up the scripts that are being used on their sites and
learn from them, possibly making them easier or integrating these features
in their website. They would also learn how popular each script is.
For that purpose, the header should send not only "GM v0.3" but the list of
active scripts for that page.

But publishers could try to take the opposite route and fight these scripts,
although that would likely lead to them loosing that information. They would
still be able to obfuscate, but they'd have to keep monitoring the user
script directory rather than just monitor their logs to detect new user
scripts and new versions of user scripts.

That second route is what I consider an arms race: user scripts and other
content modification technologies (proxies and such) are often very
dependent on a specific structure of the DOM.
Obfuscation is possible! Even if you develop an uber-GM, publishers would
then move to an uber-obfuscation and we'd then have an uber-uber-GM ;-)

The problem is that so far we have no idea how most websites will react. I'd
recommend we move forward with a header, allow the paranoid user to disable
it and wait for the reactions of the publishers.

On 4/29/05, Simon Willison <cs1spw at bath.ac.uk> wrote:
... not letting websites know about the GM scripts so they are not tempted
to steal the private information that the user script injects... (rephrased)
> Of course, this is
> a classic security through obscurity argument. 

Since we already have a public user script directory and its next version
will probably allow search user scripts for a given site, that obscurity is
already lost. A publisher can just look  a the scripts that may run on his
website and include javascript to probe which modifications occured. You
again have an arms race as the user scripts try to disable these snooping
routines ;-)


More information about the Greasemonkey mailing list