Allow Violentmonkey scripts

Bug reports and enhancement requests
Post Reply
Reindeer
Posts: 4
Joined: Fri Jul 07, 2017 3:12 pm

Allow Violentmonkey scripts

Post by Reindeer »

Violentmonkey is an add-on that lets users run custom userscripts.
When NoScript disallows a domain to run scripts, even Violentmonkey scripts are restricted from running. It would be highly useful if one could allow Violentmonkey scripts to run without allowing the website's domain. This would allow users to fix websites that (maybe purposefully) break themselves upon encountering a NoScript user. This was possible with Greasemonkey prior Firefox 57.
Currently Violentmonkey scripts are injected as blob objects as described here https://violentmonkey.github.io/2017/10 ... BLOB-URLs/
Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0
User avatar
therube
Ambassador
Posts: 7924
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Allow Violentmonkey scripts

Post by therube »

Yes it would be nice.
Suspect its the same as, well, take your pick, +bookmarklet*.

e10s, various browser versions, various NoScript versions.
In any case, point is, unless you allow the domain, bookmarklets (& likewise Violtentmonkey) scripts don't work, which sucks, which goes against the whole premise of not having to allow a site - just so bookmarklets work. (You don't know just how that bugs me - in Quantum. Many times, the only reason I allow a site is so that my bookmarklets work.)


(With some scripts you do have to allow particular domains, but that is an exception.)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0 SeaMonkey/2.49.2
jscher2000
Posts: 1
Joined: Fri Jan 05, 2018 12:00 am

Re: Allow Violentmonkey scripts

Post by jscher2000 »

I think this is the old CSP problem, that Firefox interprets the bar on inline scripts to apply to bookmarklets and extensions' content scripts. There have been a few bugs pending to change this but no obvious movement. The bug fix to allow extensions to inject style sheets that otherwise are barred by CSP, coming in Firefox 59, has something like a dozen files, so it seems these changes are not trivial to code.
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
User avatar
therube
Ambassador
Posts: 7924
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Allow Violentmonkey scripts

Post by therube »

Bump.

Anything possible on this end to get things working as they should?


(I'll take it that security.csp.enable is NOT the thing to do :twisted:.)


What goes around, comes around.
Funny isn't it, that NoScript wasn't particularly feasible for me until ~2009, when bookmarklet support was introduced.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0 SeaMonkey/2.49.3 Lightning/5.4
User avatar
therube
Ambassador
Posts: 7924
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Allow Violentmonkey scripts

Post by therube »

(I'll take it that security.csp.enable is NOT the thing to do :twisted:.)
What are the ramifications of setting, security.csp.enable, to 'false'?

I'm sure, not good.
But just what does that mean?


Or is NoScript able to come up with a safe work-around?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0 SeaMonkey/2.49.4
skriptimaahinen
Master Bug Buster
Posts: 244
Joined: Wed Jan 10, 2018 7:37 am

Re: Allow Violentmonkey scripts

Post by skriptimaahinen »

It would NOT be good idea to disable CSP as that is what NoScript uses to block inline javascript. For anything fetched with network request, NoScript is able to block in webRequest event, but scripts that come embedded in the main document need to be blocked with CSP as that is the only way available to WebExtensions since Mozilla prevented access to the javascript.enabled config setting.

This is also the reason why bookmarklets wont work on blocked pages. There is a bugreport to get it fixed though: https://bugzilla.mozilla.org/show_bug.cgi?id=866522 Just don't hold your breath waiting. ;)

Not familiar how Violentmonkey executes its scripts, but I guess it tries to inject them as page scripts so they get blocked by the CSP. For example Greasemonkey works fine since the scripts are executed as contentscripts.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: Allow Violentmonkey scripts

Post by barbaz »

*Always* check the changelogs BEFORE updating that important software!
-
User avatar
therube
Ambassador
Posts: 7924
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Allow Violentmonkey scripts

Post by therube »

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0 SeaMonkey/2.53 Lightning/5.8
User avatar
therube
Ambassador
Posts: 7924
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Allow Violentmonkey scripts

Post by therube »

Breathe :-).

This doesn't fix everything, don't even know if it fixes Violentmonkey (?) (but it does fix Everything :-).)
So now you no longer need to Allow the site you're on in order for an Everything search to work - when NoScript is installed :-).

(FF 69, currently Nightly, required.)


Bug 1478037 Allow bookmarklets to run even when the CSP on the page would normally block javascript: execution

(from https://bugzilla.mozilla.org/show_bug.cgi?id=866522)
Boris wrote: I filed bug 1478037 to implement the basic "let the bookmarklet run" thing, so we don't let the perfect be the enemy of the good here. If the bookmarklet loads subresources, those will still be subject to CSP even with that bug fixed.
:-) :-) :-)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0 SeaMonkey/2.49.5
Post Reply