Menu
I use match to restrict my script to work only one domain but chrome runs it in every domain. I tried @include and @match and it says "Access your data on all websites" when I try to install it and it runs it in all websites.
How can I restrict userscript to one domain in chrome?
Metadata is same as this page: http://www.chromium.org/developers/design-documents/user-scripts
I mean it's:
// @match http://*.google.com/*
// @match http://www.google.com/*
543
Tampermonkey is used to run so-called userscripts (sometimes also called Greasemonkey scripts) on websites. Userscripts are small computer programs that change the layout of a page, add or remove new functionality and content, or automate actions.
Note: this answer developed between the OP and Rob W. Placing it here in the hopes that this question might be useful to others without having to sift through the comment chain, above.
There are two issues. First, a userscript header does not parse if a UTF8 BOM is present (Chromium bug 102667).
Second, when using @include versus @match in a userscript, Chrome misleadingly reports that the script can "Access your data on all websites", but this is not really true. The script will run on only those sites specified by the include statement(s).
Consider (or make) these three scripts:
UTF test, not UTF.user.js (save with ANSI encoding):
// ==UserScript==
// @name Not UTF source file
// @match http://www.yahoo.com/*
// ==/UserScript==
if (location.hostname != 'www.yahoo.com')
alert ("This script should not run on "+location.hostname+"!");
UTF test, is UTF.user.js (save with UTF-8 encoding, including the BOM):
// ==UserScript==
// @name Is UTF source file
// @match http://www.yahoo.com/*
// ==/UserScript==
if (location.hostname != 'www.yahoo.com')
alert ("This script should not run on "+location.hostname+"!");
Include, not match.user.js (save with ANSI encoding):
// ==UserScript==
// @name Use include, not match
// @include http://www.yahoo.com/*
// ==/UserScript==
if (location.hostname != 'www.yahoo.com')
alert ("This script should not run on "+location.hostname+"!");
Note that all 3 scripts are the same code. Only the @name and/or the file-format and/or @include versus @match are different.
The ANSI script, with match (UTF test, not UTF.user.js) reports these permissions:
This script operates and reports correctly, and as expected.
The UTF-8 script, with match (UTF test, is UTF.user.js) reports these permissions:
The permissions are reported incorrectly, contradicting the @match statement(s). Also note that the file-name is shown, URL-encoded, instead of the @name directive. These are both clues that something is amiss.
Worse, this script will operate on all sites. That is, you will see the alert() on all non-Yahoo pages. This is clearly a bug.
The ANSI script, with include (Include, not match.user.js) reports these permissions:
While this is a misleading report, the script will actually operate correctly. That is, it will only fire for yahoo pages.
This is due in part to how Chrome auto-converts userscripts into extensions. @match statements are translated directly into the manifest.json's matches property, while @include statements are made into include_globs values. See Match patterns and globs.
The permissions report keys off the matches array.
106
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
