Is the YousableTubeFix userscript safe?

[randomuser]

Hello. I'm afraid of using complex userscripts with the Scripitsh addon because they may contain malicious code. Can you please take a look at the source code of YousableTubeFix and tell me if it's safe to use it? Or may I just trust NoScript and install any major script from that site?

[Tom T.]

Hello. I'm afraid of using complex userscripts with the Scripitsh addon because they may contain malicious code. Can you please take a look at the source code of YousableTubeFix and tell me if it's safe to use it?

Please pardon my asking, but aren't Scriptish and Greasemonkey intended for those who can write their own scripts in the first place?
From Greasemonkey FAQ:

....user scripts often offer a light-weight alternative, requiring no browser restart on user script installation nor removal, and work with the common DOM API familiar to any web developer....

(emphasis was mine, not in the original).

In other words, these tools are intended for developers, or for users who at least are capable of writing their own code.
Which implies, being able to vet code written by others.

Or may I just trust NoScript and install any major script from that site?

I don't use either product. But if you install it yourself, and use a Firefox add-on to alter the behavior of a page, it probably won't be subject to NoScript's vetting.
Or you may have to whitelist some local file sources.
(GM and Scriptish users: Which is it? -- thanks.)

Either way, it's presumed that you trust scripts you wrote yourself, or that you deliberately installed after someone else wrote them - unlike Web scripting, where NoScript shows you the web site that is the source of the scripts (YouTube, Yahoo, your bank, etc.), and you can decide whether you trust that source.

[Giorgio Maone]

However, the code in current version does not look malicious.

[randomuser]

Tom T., Scriptish and Greasemonkey are UserScript (third-party JavaScript files that modify the behavior of some webpage) managers. The text you quoted says that any developer can develop UserScripts to be used with these addons, not that they are meant only for developers. UserScripts act as lightweight addons, and some (like YousableTubeFix) are downloaded and used by thousands of users who have no idea about what "JavaScript" even means. However, their source code is not inspected as carefully as the addons on the Mozilla official repository, so I thought about asking people who know a lot more than me to take a look at this specific file, since it's more complex than I can understand and runs on a website that has access to my main Google account cookies.

Thank you, Giorgio.

[Tom T.]

I fear setting a precedent. Imagine a million non-tech users installing this add-on, then asking us to vet every single user script up there, plus each new one as it is posted. Four part-time volunteers and one developer who is very busy trying to cope with each new Web threat, Firefox versions, bringing us NoScript 3.x for the desktop...

Please note Giorgio's emphasis on "current version", in italics. That code could be changed tomorrow. Do you see the limits of this?

Reputable Web sites presumably care enough about their reputations not to install malicious software on your machine. They may invade your privacy (many do), but if it were discovered that Google, say, was *deliberately* infecting machines, the current USD $600/share price of Google stock would plunge, as users and advertisers fled the service. This is what Giorgio meant in the FAQ about accountability .

This is much different from some unknown, anonymous user uploading scripts. Do you see that difference?

Also please note that many reputable sites may not code for perfect security, and may be compromised by evildoers at times. Nearly all of the major ones have been. Fortunately, NoScript offers the best protection available against this type of attack. But not if you install the malicious code yourself...

Giorgio did you a one-time favor. Please read the subtext carefully, and let us not distract him, or his team of volunteers, from enhancing the product and solving actual problems, thanks.

Cheers,
- Tom.