I want to write a greasemonkey script for my client to automate his tasks, however I don't want to share the script with others (as obviously, my client would not be too happy with this!)
How can I do write a greasemonkey script without sharing it with others?
The question is not clear. But if you mean, "Can I stop my client from seeing the Greasemonkey script's code and possibly sharing it?"
Then the answer is "NO". Anyone using Firefox can see/edit the script's code via the Greasemonkey menu or the User Scripts tab in the Add-on manager.
This is by design. The producers of Greasemonkey (and most script authors) do not want any possibility of hidden or encrypted scripts being foisted on unsuspecting users.
~~~
Additionally, the script source can be seen by anyone with access to the client-machine's file system.
If you mean:
How can I run/install the script in my browser without uploading it to the userscripts site?
That's easy...
Save your script to to a file, EG MyScript.user.js. Keep track of where you saved it, and make sure it's not in a system temp folder.
In Firefox, choose Open File (CtrlO).
Navigate to where you'd saved your script and open it.
Greasemonkey will pop up a dialog asking if you want to install the script. Press Install.
See "Installing Scripts" in the documentation.
Make site with a link like this
Install special script xx
and save your script at
http://yourserver.com/yourscript.user.js
Grease Monkey and Tamper Monkey will see a javascript file and if it ends with user.js it will ask to install it. Give the url with the install link to your client. You can protect your site with a password.
Related
Is there a way to identify and block JS files/events that are not part of your domain?
Like assume, if I'm writing a extension for chrome and I put following code in my JS
$('div').on('click', function(){ alert("yup"); });
is there a way for a website to handle this case?
Edit 1:
After discussion with #Clive, I realized that all extension/application should run in sandbox and should not be able to access events/elements outside the scope.
Case
A chrome extension have a keypress event on input[type=text] and input[type=password]. Now this extension runs in background, so there JS files are always available. Hence if you open facebook and login to your account, this extension will capture data and can send it to its server.
My Case
Two user was getting alert messages multiple times. Initially we thought its a part of our code and checked all JS files. But then realized, both user had same extension and so we diagnosed that extension's JS file and found alert in it. Now we were lucky, no damage was done, but it still posses a possible security threat.
Short answer: No.
Long answer:
Chrome extensions run their code in a separate space from your site's code, so they don't interact at all. The best you could do is prevent DOM edits. Luckily chrome extensions already run in a sandbox and have to explicitly ask for permissions for the domains that they inject code in and those domains are all listed when you install an extension. The only other way for extensions to interact with a page is through the activeTab permission which is a one time allowance on a specific user action. If you are using an extension that you think is malicious, you can always just read the code since JS is naturally open source. It really all boils down to a matter of trust. Installing something is explicitly trusting that thing to not mess up your stuff. This applies to all programs. If you don't trust an extension, then don't install it. A sandbox can only prevent so much while still letting extensions do something.
I have a hyperlink in my html document as
click
When I click on the hyperlink, the specified file opens in the browser itself.
Is it possible to open that file in notepad or sublime text or any text editor which is the default program for the file type (txt in this case). Can I do it programmatically in javascript or jquery. Is there any way to do it?
Note: This is just a stand alone application. I have developed a plugin which searches for patterns, that I have given as input, in all the files in a given source directory and print out all the file names in that directory which contains that pattern. Its printed to a output report html file. I just want to link the file path name to the default editor, so that he can edit it and save. No issue of security. Can it be done?
If not, is there any other way to accomplish this task? I can generate the output report in any format. Pls help.
As others mentioned, you may not able to do this without compromising your browser's security. But I came across a link that may help you.
<script type="text/javascript" language="javascript">
function RunFile() {
WshShell = new ActiveXObject("WScript.Shell");
WshShell.Run("c:/windows/system32/notepad.exe", 1, false);
}
</script>
Edit: This opens an empty notepad, and it'll only work on windows. You may use js to distinct between different OS and run their default text editors accordingly, but I wouldn't on that route. Why not use online editors instead?
Due to security reasons HTML/JavaScript does'nt have allow to access local file system.
http://en.wikipedia.org/wiki/JavaScript#Security
JavaScript and the DOM provide the potential for malicious authors to deliver scripts to run on a client computer via the web. Browser authors contain this risk using two restrictions. First, scripts run in a sandbox in which they can only perform web-related actions, not general-purpose programming tasks like creating files. Second, scripts are constrained by the same origin policy: scripts from one web site do not have access to information such as usernames, passwords, or cookies sent to another site
You have to make a server request in order to get the resource.
You can't do this without compromising the browser's security. You'd have to modify the browsers MIME type for TXT and default program's associated. If it's on your local network, and you're on a domain, and each user has admin privileges on their machines, you could theoretically do a registry hack and change the default settings for opening text files in external editors, but this compromises security, and chances are if you're in a domain network, your admin privileges are stripped from local machines.
I was looking for something similar and found a solution. Maybe someone will find it useful.
If you only want to do this on your own computer, it works.
I found the some strange <script/> tags on a site:
<script src="chrome-extension://lifbcibllhkdhoafpjfnlhfpfgnpldfl/document_iterator.js"></script>
<script src="chrome-extension://lifbcibllhkdhoafpjfnlhfpfgnpldfl/find_proxy.js"></script>
...
I haven't been able to find much information on this, but I highly doubt this is actually related to Google Chrome since this site in particular is still using <table>s for layout, and the source in question was retrieved with curl not a graphical web browser.
So,
What on earth is this?
What is chrome-extension://
Why is it using lifbcibllhkdhoafpjfnlhfpfgnpldfl as a directory name
Why is it pretending to be valid URL to a javascript file?
Why would I need find_proxy or document_iterator
Solved. As far as I know...
chrixian was right, It seems that only on this and a few select other pages, someone had re-saved them from Chrome's source-view with the Skype extension installed.
Thanks everyone for all your help, +1's for all! enjoy!
That is actually Skype Click to Call chrome extension.
Manage and view it using this link
chrome://extensions/?id=lifbcibllhkdhoafpjfnlhfpfgnpldfl
If you are using cURL to get the page, you're getting the HTML as it exists on the server--so I think a safe assumption would be: the author of the page initially saved the page from Chrome, he had an extension installed that inserted these script tages and lastly he didn't remove the script tags for one reason or another before putting the page on the server.
This is added by chrome as the page loads, to inject the extension's Javascript code into the page, so it can access the HTML document.
The Skype extension causes it by inserting all kinds of junk in webpages that you visit.
Do you have the Skype browser extension installed for Chrome?
Just disable the extension.
Chrome, like Firefox, provides developers with an easy API to extend the functionality of the web browser without needing to actually download and build the browser to do so.
They also provide a robust delivery system. In Google's case, it's the Google Chrome Web Store.
Extensions are installed locally on your computer, and use long strings as directory names to reduce the risk of collisions with another extension. In other words, if you and I both named our extensions "mycoolextension", then there would be a problem if a person tried to install your extension and my extension. The long string helps prevent collisions such as this.
The chrome-extension:// protocol is used by the browser to make requests to these local resources. Chrome extensions are developed using HTML5, JavaScript, and CSS, along with an API exposed to allow the local JavaScript to perform actions it would not normally be able to do on the Internet.
When you see these in the Chrome developer tools, it's just the extension doing it's thing, whatever that may be.
If you're seeing these, then you likely installed some extensions from the Chrome Web Store. To view them, go to the Tools menu and select "Extensions". This will show you a list of all installed Chrome extensions and apps.
To learn more about extension development, see the Getting Started Tutorial.
Also, as someone else mentioned, you're using the Skype Call Extension. However, an app using that directory name doesn't appear in the first page of the search results. It might be worth doing some more research to make sure you got that extension from a legitimate source, whether that be Skype or the Chrome Web Store.
If you're seeing it in Chrome developer tools for every request you make, it means it has access to all your websites, which could be benign, like if they're just making phone numbers clickable, or it could be malicious, if it's scraping your bank account info and shipping it off to some third party server. :)
It's a Chrome extension, and chrome-extension:// is a URL for extensions to address their contents via Javascript.
lifbcibllhkdhoafpjfnlhfpfgnpldfl is the unique identifier for the extension. I can't find it with a search, but apparently it might be Skype.
It's not pretending... it is a valid URL. The Javascript file is located in the extension. If you were to look on your harddrive you'd probably find that very file in the extensions folder.
The functions its calling probably are some sort of detection used by the extension to see if it needs to enable itself.
See this for some additional information:
Checking if user has a certain extension installed
I'm new to greasemonkey and I've a script (which I'm serving) that uses GM_xmlhttpRequest. I was wondering what I've to reference in order to use this function. Like I said, I'm serving this script so I've no idea if the user has GreaseMonkey installed.
Thanks
You can not "serve" script that uses GM_xmlhttpRequest(). GM_xmlhttpRequest() will run in the protected Greasemonkey sandbox (or the protected Chrome userscript sandbox) only.
You can host a proper user script and ask that the user install it, but the user is under no obligation to do so.
If you want your page to have some king of cross-site AJAX capability, you cannot use GM_xmlhttpRequest() in its JS. You'll have to use one of the standard workarounds.
If you installed scripts appropriately (like from userscripts.org), the GreaseMonkey should be able to detect them. You can see what scripts are currently being used by right-clicking on the GreaseMonkey icon on the lower right-hand side of your screen. Some scripts work automatically, and some scripts require the browser to be restarted first. When Greasemonkey detects a page that a script applies to, it automatically runs the script. No need for you to do anything.
is there anyway to stop popping up the warning message in IE when trying to execute javascript?
I want some solution which does not need modifying the settings in the IE manually by the user.
Thanks,
If the message is only appearing for you when you run the scripts locally and not for your visitors when you upload your scripts to the server, I'd suggest one of three things:
Have a test server that you can use to run the things you are developing. This will avoid issues that might come up when you are running scripts locally. Apache or IIS should allow you to do this, although you will have to research how to get the server you choose to use working like your production environment (example: PHP).
If you want to continue to test your scripts locally, you can give your pages the Mark of the Web (<!-- saved from url=(0014)about:internet -->). This will force the page to run in the Internet Security Zone and avoid the message you see when you open an HTML file containing script locally.
If there is some reason you can't give the pages the MOTW, you can configure Internet Explorer to allow scripts to execute locally (note this is a bit dangerous since local files containing script can do something malicious). Go to Tools > Internet Options > Advanced tab > scroll to the Security section and check Allow active content to run in files on My Computer
This only occurs when you open local files. And no; there's no way to avoid this.
Or so I thought.. Untill Grant Wagner came by and gave his two cents :)