I'll give you a bit of background. I am writing a rather (internally) complicated image app made for GreaseMonkey that for the most part runs locally, and as such, file:// urls can always be allowed. It opens potentially thousands of sites in a second window. Depending on values received through GM_getValue, it either scans a page for links or thumbnails, and then sends that info back via GM_setValue to the main part of the GM script running via setInterval at the file:// url. GM then loads another url in its list in the second window via location.replace. It is vitally important that NoScript runs on these pages in the second window, as some of them can be quite user-unfriendly, and sometimes even a showstopper, causing the app to stop running. After the scanning is done, the user can then open dynamically created pages (file:// scheme) to view and select thumbnails, then view the selected large images.
Different parts of the GM script are run on diferent pages, depending on what the "window.name" is.
All of the foregoing works quite well. However, occasionally it runs into a site that has hotlink protection on images via referrer, and so the user has to open that external page in a new window (no longer a file:// scheme). Because that window is also given a name, the GM script runs code just for it, arranging the thumbs so that the interface looks the same as in the dynamically created thumb pages. GM also removes all Javascript from the DOM on these pages (see below), and then injects some script of its own, so that the user interface will work the same as in the dynamically generated pages. Up to this point, things are still just dandy.
But the problem that now arises is that this injected script will not work without temporarily disabling NoScript for that page, since it is on an untrusted site, and should remain untrusted outside of the app. I think it is a lessening of the user experience to have to tell them that all potentially malicious Javascript has been removed from the page, but they must still disable NoScript for the page to work properly.
So, back to my original question, is it possible for NoScript to detect and allow only GM-injected script on untrusted sites? Maybe a before-GM and after-GM check to compare the source?
Code: Select all
function removebadstuff(){
var x,e,enn,E=document.getElementsByTagName('*'),EL=E.length;
for(x=EL-1;x>-1;x--){
e=E[x];
enn=e.nodeName.toLowerCase();
try{
if(enn=="script"||enn=="applet"||enn=="embed"||enn=="object")e.parentNode.removeChild(e);
else{
e.removeAttribute("target");
e.removeAttribute("onclick");
e.removeAttribute("onmouseover");
e.removeAttribute("onmouseout");
e.removeAttribute("onblur");
e.removeAttribute("onfocus");
e.removeAttribute("onmove");
e.removeAttribute("onresize");
e.removeAttribute("ondragdrop");
e.removeAttribute("onload");
e.removeAttribute("onunload");
}
}catch(e){}
}
}