« Firefox 1.5 released
Pornzilla update »

Updated Greasemonkey scripts

I updated a few of my Greasemonkey scripts to work with versions of Greasemonkey that use XPCNativeWrappers. Greasemonkey 0.5 introduced the use of XPCNativeWrapper for the document object (but only when running on "Deer Park" builds of Firefox that were leading up to Firefox 1.5, not when running on Firefox 1.0.x). Greasemonkey 0.6.4 uses XPCNativeWrappers for everything except unsafeWindow, including the script's global scope. Using XPCNativeWrappers increases security but requires some scripts to be modified.

Most of my scripts didn't require any changes. Several only required minor changes to work with XPCNativeWrappers, such as using addEventListener instead of setting the onclick property.

The trickier scripts to fix had relied on the ability to set properties on DOM objects. I refactored Valid XHTML and Drag 43 Things to use closures instead.

Another problem I ran into was that the normal XMLHttpRequest syntax does not work with XPCNativeWrappers (bug 318489). Bash.org instant voting used XMLHttpRequest, so I modified it to use GM_xmlhttpRequest instead.

I also updated Pike's Google Maps Mousewheel Zooming script to work with Greasemonkey 0.6.4. This was the most difficult script to update because it interacts with page scripts rather than just interacting with a DOM. The normal way for a Greasemonkey 0.6.4 script to interact with page scripts is to use unsafeWindow, but using it allows the page to see the source of your script, and in some cases allows the page to call GM_ functions. (It would be bad if an evil web page were able to use GM_xmlhttpRequest, since it is not restricted with a same-host policy.) One might argue that I trust Google, which is true, but I don't trust maps.google.evil.com, which is also matched by the script's URL pattern. My version of the script works by setting location.href to a "javascript:" URL when it wants to call in-page functions. I think this is safe and hides the Greasemonkey script's functions from the JavaScript stack seen by webpage functions.

I also found out that my Valid XHTML script was broken in Greasemonkey 0.6.4 because it uses DOMParser, probably for the same reason scripts using XMLHttpRequest are broken. I gave up and used unsafeWindow to access DOMParser.

This entry was posted on Thursday, December 1st, 2005 at 10:39 pm and is filed under Mozilla, Security, User Scripts. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

3 Responses to “Updated Greasemonkey scripts”

  1. Ian Says:
    December 2nd, 2005 at 4:49 am

    You forgot local.google.com and also local.google.co.uk, maps.google.co.uk, maps.google.ca…. etc

    Also it didn’t work at first, but now is working. Weird :o/

  2. Vitor Says:
    December 4th, 2005 at 5:10 pm

    Some bookmarklets intalled as user scripts with this don’t work anymore. The very useful remove redirects for example, although it’s easy to fix that one.

  3. Jesse Ruderman Says:
    December 4th, 2005 at 8:38 pm

    Vitor: hmm. I wonder if I should change the “Bookmarklets to user scripts” script to keep the bookmarklet as a javascript: URL and use location=. I used that trick when I updated Pike’s “Google Maps Mousewheel Zooming” and it worked pretty well.