Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Are Chrome user-scripts separated from the global namespace like Greasemonkey scripts?

I know Greasemonkey scripts are automatically wrapped in anonymous functions isolated in some way in order to prevent them conflicting with scripts in the page.

Does the same happen with Chrome user-scripts?

like image 746
Acorn Avatar asked Jul 07 '11 21:07

Acorn


1 Answers

Yes, Greasemonkey scripts are normally wrapped in an anonymous function. And, Chrome userscripts apparently are too.

But, more importantly, Greasemonkey scripts are usually1 wrapped in an XPCNativeWrapper sandbox, while Google Chrome converts userscripts into extensions, and they operate in an arena that Google calls an "isolated world"2.

So, you don't need to wrap your script code in anonymous functions for security purposes, they're already protected.

Just beware that:

  1. If you inject code directly into the page (create a <script> tag), then that code can be seen by the page's JS.
  2. If you use unsafeWindow, then the page could theoretically follow it back and gain slightly elevated privileges.

The risk is very low, and I haven't been able to find any documented exploits in the wild.

~~~
Bottom line, scripts are isolated to different degrees in both browsers. (And not merely by being wrapped in anonymous functions.)

Greasemonkey has a nice set of privileged features available, in Firefox. While userscripts in Chrome are much more restricted.

However, much of GM's functionality is restored to Chrome via use of the Tampermonkey extension.




1 As of Greasemonkey version 1.0 (August 24, 2012), the sandbox is controlled by the @grant directive. If the script runs with (or defaults to) @grant none, then the sandbox isn't used. The script merely runs in a private scope and the normal GM_, API functions will not work.

2 Doesn't that sound so much bigger/nicer than some nasty sandbox? (^_^)

.

like image 122
Brock Adams Avatar answered Sep 28 '22 02:09

Brock Adams