Automatically allow GM-injected script on untrusted sites?

Bug reports and enhancement requests
Post Reply
squeegee
Posts: 2
Joined: Mon Apr 06, 2009 11:02 am

Automatically allow GM-injected script on untrusted sites?

Post by squeegee »

Is it possible for NoScript now or in future versions to detect the difference between Javascript present in the page source, and script injected by the end-user via GreaseMonkey?

I'll give you a bit of background. I am writing a rather (internally) complicated image app made for GreaseMonkey that for the most part runs locally, and as such, file:// urls can always be allowed. It opens potentially thousands of sites in a second window. Depending on values received through GM_getValue, it either scans a page for links or thumbnails, and then sends that info back via GM_setValue to the main part of the GM script running via setInterval at the file:// url. GM then loads another url in its list in the second window via location.replace. It is vitally important that NoScript runs on these pages in the second window, as some of them can be quite user-unfriendly, and sometimes even a showstopper, causing the app to stop running. After the scanning is done, the user can then open dynamically created pages (file:// scheme) to view and select thumbnails, then view the selected large images.

Different parts of the GM script are run on diferent pages, depending on what the "window.name" is.

All of the foregoing works quite well. However, occasionally it runs into a site that has hotlink protection on images via referrer, and so the user has to open that external page in a new window (no longer a file:// scheme). Because that window is also given a name, the GM script runs code just for it, arranging the thumbs so that the interface looks the same as in the dynamically created thumb pages. GM also removes all Javascript from the DOM on these pages (see below), and then injects some script of its own, so that the user interface will work the same as in the dynamically generated pages. Up to this point, things are still just dandy.

But the problem that now arises is that this injected script will not work without temporarily disabling NoScript for that page, since it is on an untrusted site, and should remain untrusted outside of the app. I think it is a lessening of the user experience to have to tell them that all potentially malicious Javascript has been removed from the page, but they must still disable NoScript for the page to work properly.

So, back to my original question, is it possible for NoScript to detect and allow only GM-injected script on untrusted sites? Maybe a before-GM and after-GM check to compare the source?

Code: Select all

function removebadstuff(){
  var x,e,enn,E=document.getElementsByTagName('*'),EL=E.length;
  for(x=EL-1;x>-1;x--){
    e=E[x];
    enn=e.nodeName.toLowerCase();
    try{
      if(enn=="script"||enn=="applet"||enn=="embed"||enn=="object")e.parentNode.removeChild(e);
      else{
        e.removeAttribute("target");
        e.removeAttribute("onclick");
        e.removeAttribute("onmouseover");
        e.removeAttribute("onmouseout");
        e.removeAttribute("onblur");
        e.removeAttribute("onfocus");
        e.removeAttribute("onmove");
        e.removeAttribute("onresize");
        e.removeAttribute("ondragdrop");
        e.removeAttribute("onload");
        e.removeAttribute("onunload");
      }
    }catch(e){}
  }
}

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Automatically allow GM-injected script on untrusted sites?

Post by Giorgio Maone »

No, there's no safe way to do it.
Also, the "sanitization" you're performing is flawed, being blacklist-based.
For instance what abou scripts already run at GM execution time, which may have attached event handlers with addEventListener() or timed callbacks with setTimeout/setInterval?
The safest way to accomplish what your trying to do is using attaching your own event handers from GM land, rather than trying to inject content-land scripts.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8 (.NET CLR 3.5.30729)
squeegee
Posts: 2
Joined: Mon Apr 06, 2009 11:02 am

Re: Automatically allow GM-injected script on untrusted sites?

Post by squeegee »

Okay, thanks. I had thought about that, but it's subject matter (attaching event handlers) I'm unfamiliar with. That sort of thing could also clean up some kludgy areas of my script, because I'm currently only indirectly communicating between some parts of content land and GM-land, as you put it, i.e. user clicks a button, which writes a value to a hidden form field, and GM periodically checks for a value there, grabs it, empties the form field, and performs the requested action. :shock: I learn best by seeing examples in action, so I'm gonna have to look for some, and write some test pages.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8
User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3365
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: Automatically allow GM-injected script on untrusted sites?

Post by GµårÐïåñ »

Let us know if you figure this out. Thanks.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8 NoScript/1.9.1.7 FlashGot/1.1.8.5 FirePHP/0.2.4
Post Reply