Say I have a local daemon running on my machine, and I want to talk to the daemon from a Greasemonkey script. I know that one of the core concepts of site JavaScript is that it is isolated from everything else, but I was wondering if there was a workaround.
One of the ideas I had was to use a WebSocket to send data to the local daemon but they are only available on Webkit based browsers.
Three possibilities:
Give the daemon web-server capabilities and then use normal AJAX techniques via GM_xmlhttpRequest() to interact with it.
Instead of a GM script, make a Firefox add-on. Add-ons can interact with the local system in much more dangerous ways than a GM script can.
I do not recommend this last approach, but include it for completeness... It may be possible for the daemon to read and/or write Firefox cookies or localStorage. GM scripts can also, but XSS restrictions apply here (unlike with GM_xmlhttpRequest()).
You could get the daemon to accept HTTP requests, which are done very easily using JavaScript? I think you are going to need to improve the daemon here, rather than the script itself - JavaScript is very secure, and Greasemonkey just takes that a step further.
Related
I'm using jsdom to load web pages with my Node.js application.
Sometimes, I don't get the full DOM because some web pages use scripts to load their content dynamically after the onload event is triggered.
jsdom deactivates the execution of these scripts by default because it would cause a security flaw, as stated in their documentation:
The jsdom sandbox is not foolproof, and code running inside the DOM's < script>s can, if it tries hard enough, get access to the Node.js environment, and thus to your machine
I was wondering if there was a way to make it foolproof using some workarounds? I'm kind of new in Node.JS development and as it is a single threaded environment, I'm not sure how I can create a secured sandbox.
NodeJS does not have this kind of security out of the box. If you'll be running untrusted, 3rd party code in your Node engine, you'll need to use operating system tools to isolate and secure it.
Things you could look into:
Using a chroot jail.
Using a virtual machine.
Using a Docker container.
Using the jailed sandbox library (haven't used it myself, but it has good reputation).
Do some research on these approaches and their limitations, and see which suits your purpose best. A virtual machine will offer the greatest isolation and least chance for error, I think, but it has the greatest overhead. All approaches could be made to work.
I don't have a lot of hope for this one, but I have to ask. I am hoping, for didactic purposes, to come up with some means by which a student could load a simple javascript program into a browser, and have it interact with them in the old-fashioned command line manner, where it prints a line and then reads a line of input. This works fine if you use prompt(), but the fact that it creates popups is aesthetically annoying, and today's browsers cheerfully volunteer to stifle the scripts which overuse it. The problem is, prompt() appears to be the only way browser Javascript has of actually pausing a script to wait for input. If we avoid it, that throws us immediately into having to deal with a real-time GUI event input model.
I've been looking for a way to fake it -- to set up some kind of environment in which it is possible for a Javascript method to wait for input and then return when it's given. The best possibility I've got so far is to connect it to a Java applet, but the java applet brand is kind of poisoned now and I doubt people would want to install the plugin. Could there be another way? Worker threads? A browser add-on? Some server-side trick? Does anyone have an idea?
This question is now years old... I wonder if the addition of promises and async/await to Javascript makes this any more possible now?
...I sort of got it to work. If the read-eval-print loop is in an async function and uses await for the line that reads input, you can indeed make an old fashioned linear read-eval-print loop in an event-driven browser environment. But I don't think you can make the main thread wait on input without an async function, except with the grandfathered prompt method (which they're now getting ready to deprecate).
The technical term for what you want is a REPL: a Read-Evaluate-Print-Loop. There are many REPLs out there.
The Best Browser-Based Solution
Use Google Chrome's inbuilt console! It's a Javascript REPL that can also let you interact with a web page. You can access it by using Ctrl+Shift+I on Windows and Unix inside Chrome, or the equivalent command on a Mac (Google it!).
To load a file and play with it, all your students need to do is create a directory structure like this:
project
|--> index.html
|--> javascript.js
make sure index.html has a script tag that points to javascript.js, and then open index.html with Chrome. Voila! You have loaded a Javascript file, and can now play around with it in Chrome.
It's the best solution because you get the full power of the DOM, can do REPL stuff, and is virtually painless - everyone uses Chrome, and your students can even go home and mess around with it completely.
A Browser-Based Alternative
Rather than reinvent the wheel, you can also use Repl.it.
It's a browser-based Javascript REPL website that supports inserting an arbitrary Javascript program, and interacting with its contents. This is the closest you'll probably get to meeting your requirements - it'll be unable to interact with the DOM (obviously), but it'll more than work.
Non-Browser-Based Alternative
If the requirement for a web-based solution can be relaxed, simply using Node.js' inbuilt REPL on a terminal can be more than sufficient.
You could install Node on your lab's computers, and have people play with Javascript in that capacity. There'll be no DOM, but you could certainly have them write functions and algorithms to solve simple problems. Plus, it'd be a good way to introduce them to the fact that Javascript is no longer client-side-bound.
The fact that you'll be interacting with Javascript in an actual terminal, rather than an emulated one in the browser, is another neat bonus.
If I've Misunderstood...
Some of the question comments make it sound like you want a way to be able to interact with terminal utilities using Javascript from a browser. If that is the case, this is impossible.
There is no way for Javascript to evaluate, parse or do anything on the command line that isn't written using Javascript. You cannot expect the equivalent of a bash ls using a browser-based solution - that's because browsers don't have access to your underlying filesystem, which is a good thing. You cannot run sed, awk, grep, etc. for the same reason - Unix utilities are inaccessible to a browser. There are ways to run Unix utilities using Node, of course, but then you will be teaching them how to use Node, rather than how to play with the Unix console.
If all you want, however, is a way to SSH from a browser into a common environment, there are certainly browser-based ways to do that. FireSSH is a Firefox plugin (now also ported to Chrome) that lets people SSH into a common server. They can then do ls, vim, etc. and have it run in the server, with the results piped back to their browser screen. You'll have to think carefully about security in this case, of course, but I think simply giving people user permissions for this server should more than suffice.
Note that FireSSH doesn't use Javascript to parse or do anything - all it is doing is relaying commands you type to a server, having the server execute those commands remotely, and then piping the results back to your screen.
Alternatives to Prompt
I added this after understanding OP's requirements in more detail.
This is a question that has been asked before. I am fond of library solutions, and in 2013, iocream.js was developed for just this sort of browser functionality. You can embed it in a page, and use the jin function to assign values.
If going with a Node.js solution, by far the best approach is to make use of the prompt library. I personally find it very useful for embedding within Node.js applications.
SpiderMonkey is Mozilla's C++-based Javascript engine, and supports a function called readline(). Unfortunately, there doesn't appear to be a mainstream browser implementation.
I am developing chat application, using node.js socket.io module on a server, and javascript on a client. As it become more complex, I become tired to test different usage scenarios by clicking across browsers. At now I use different browsers in order to separate cookies. So in Firefox there is one chat participant, in Opera - second, etc.
Therefore my question is:
Can I automate this somehow?
I've heard about headless testing engines like Phantom JS, Selenium WebDriver, but I don't know how to write tests between different browsers. In fact, I indeed need to separate cookies, different browsers are here only for this task.
May be I cannot explain my problem to Google :) All answers on such question imply cross-browser development, and testing that aspect.
Any help will be appreciated a lot!
The answers shown at How to test two interacting browsers (e.g. chat app) might be of use if you try to go the Casper/Phantom/SlimerJS route. I'm not marking it as a duplicate as your question is more general, whereas that one is about exactly how to synchronize two CasperJS instances; it is also not specifically about socket.io.
Note: if using Phantom to test Web Sockets you will need to get Phantom 2.x (which is still experimental, and does not have an easily downloadable beta yet), as Phantom 1.x uses an old WebKit. SlimerJs always uses a recent Gecko (i.e. Firefox) engine, so is fine.
Each instance of PhantomJS can have its own cookies. This answer (and the other answer on that question) explains your choices well.
SlimerJS cookies are similar, but persistent cookies are stored in the Mozilla profile, so if you wanted to run multiple instances, you would want to specify an explicit profile for each instance. (Though your chat application may only be using session cookies, in which case this does not matter.)
Anyway, as cookies are used I would definitely run two instances of CasperJS, rather than try to use two tabs, or two frames.
Is it possible to communicate over a machine's serial port through JavaScript?
I have to write a short program that sends data to a microcontroller over the serial port that has a GUI and is cross-platform compatible, and I really don't want to use Java's Swing.
JavaScript itself doesn't have any built in functionality to allow you to access the serial port. However, various JavaScript engines (v8, rhino, etc) allow you to write your own custom native objects.
You might want to check out node.js, which is a JavaScript library for v8 that's focused on writing server-side code (rather than web browser client code). It seems that someone's already written a serialport package for that:
https://github.com/voodootikigod/node-serialport
This is an old question, but in case this helps anyone else, Chrome Apps have access to a serial API - http://developer.chrome.com/apps/serial.html - which might help.
It's Chrome specific (obviously..), but Chrome is available cross-platform so might answer the question.
There's a cross platform plugin for serial port communication called jUART.
Yes, it's possible using an ActiveX(I did it). You can make an activeX and use JavaScript to invoke it.
If you prefer, you can make a .net dll and register it using regasm. Take a look at this link
You also can write an activeX using VB6 and register it. Both works fine.
Ps.: if you are using ActiveX, the JavaScript code will run just on IE.
If you have a DLL library (this includes e.g. most Windows APIs) that allows you to communicate over serial port you can invoke it from Firefox chrome code (or content code with universalxpconnect privileges) by using ctypes.
What you could do is to use a Java applet that connects to the local computer's Java application that reads the serial port. The applet would then transfer the data to a JavaScript class or something that can hold the information. Then additional JavaScript code can be used to access the data. It's a complicated solution but should work.
Another way is to create a POJO service.
I've never actually used greasemonkey, but I was considering using it.
Considering that GreaseMonkey allows you to let random people on the Internet change the behavior of your favorite websites, how safe can it be?
Can they steal my passwords? Look at my private data? Do things I didn't want to do?
How safe is Greasemonkey?
Thanks
Considering that GreaseMonkey allows you to let random people on the Internet change the behavior of your favorite websites, how safe can it be?
It's as safe as you allow it to be - but you aren't very clear, so let's look at it from a few perspectives:
Web Developer
Greasemonkey can't do anything to your website that a person with telnet can't already do to your website. It automates things a bit, but other than that if greasemonkey is a security hole, then your website design is flawed - not greasemonkey.
Internet user with Greasemonkey loaded
Like anything else you load on your system, greasemonkey can be used against you. Don't load scripts onto your system unless you trust the source (in both meanings of the term 'source'). It's fairly limited and sandboxed, but that doesn't mean it's safe, merely that it's harder for someone to do something nefarious.
Internet user without Greasemonkey
If you do not load greasemonkey or any of its scripts, it cannot affect you in any way. Greasemonkey does not alter the websites you visit unless you've loaded it on your system.
Greasemonkey developer
There's not much you can do beyond what can already be done with XUL and javascript, but it is possible to trash your mozilla and/or firefox profile, and possibly other parts of your system. Unlikely, difficult to do on purpose or maliciously, but it's not a bulletproof utility. Develop responsibly.
-Adam
Considering that GreaseMonkey allows you to let random people on the Internet change the behavior of your favorite websites
Random people whose UserScript you have installed. No one can force you to install a UserScript.
Can they steal my passwords?
Yes, a UserScript could modify a login page so it sent your password to an attacker.
No, it cannot look at your current passwords, or for websites the UserScript isn't enabled for
Look at my private data?
Yes, if your private data is viewable on a website that you've given a UserScript access too
Do things I didn't want to do?
Yes, a UserScript could do things to a webpage (you've given it access to) that are unwanted
How safe is GreaseMonkey?
As safe as the individual UserScripts you have installed
When used with discretion, Greasemonkey should be perfectly safe to install and use. While it is definitely possible to do all manners of mischief with carte-blanche Javascript access to pages, Greasemonkey scripts are restricted to specific URLs, and will not run on sites that are not specified by the URL patterns in their headers.
That being said, a basic rule of thumb is to consider most information on pages with Greasemonkey scripts active to be accessible to those scripts. It is technically feasible to play games like replacing input boxes (in which you might enter passwords or personal info), read any data on the pages, and send data collected to a third party. Greasemonkey scripts do run in an effective sandbox within the browser, and shouldn't be able to affect your computer outside of Firefox.
That being said, in some respects, the risk is comparable to or less than that of installing any other small pieces of open source software. Since Greasemonkey scripts are simple open source Javascript files, it's relatively easy for a programmer to take a look inside and make sure it does what it says it does. As always, run strangers' code (of any form) with care, and take the time to skim the source code if the software is important to you.
In general though, Greasemonkey scripts should be pretty safe. Try to use scripts with a large number of reviews and users, since these are likely to be more thoroughly vetted and analyzed by the community.
Happy userscripting!
Yes, userscripts can steal your passwords. That's the bottom line. Don't use firefox addons or userscripts on work or government computers without referring to your bosses.
Unlike firefox addons userscripts are not formally vetted. (Firefox 'experimental' addons are also not vetted). You can register and add a malicious script to userscripts.org in a moment.
Userscripts are very unsafe. The cross-site scripting ability means that it's no difficulty at all to send off your details/passwords to an evil server quite invisibly. And the script can do it for any site. Ignore the other answers that attempt to dismiss/minimise this issue. There are two issues: evil script writers putting their evil wares on to userscripts.org and scripts that break greasemonkeys' sandbox and so are vulnerable to being used by malicious code on a hacked site that would otherwise be restricted to same-domain.
In the case of evil script authors you can examine the scripts for code that sends your details; not much fun. At the very least you could restrict the script to particular sites by editing the 'include/exclude' clause. That doesn't solve the problem but at least it won't be sending off your banking credentials (unless you've used the same login details). It's a pity there isn't an 'includexss' clause to restrict xss requests, which would effectively solve the problem since, crucially, it would be easy to check even for non-developers. (the Firefox addon "RequestPolicy" doesn't block userscripts.)
Unsafe scripts: look for any use of 'unsafewindow'. There are other risky calls. Greasemonkey doesn't warn you of their use when the script is installed. Use of these calls doesn't mean the script is unsafe, just that the script writer had better be good at secure programming; it's difficult and most aren't. I avoid writing scripts that would need these calls. There are popular, high-download scripts that use these calls.
Firefox plugins/addons at Mozilla.org have similar problems to userscripts but at least they are formally vetted. The vetting/review includes the all-important code-review. Nevertheless there are clever techniques for avoiding the detection of evil code without the need of obfuscation. Also the addon may be hosted on an (unknown to anyone) hacked site. Unfortunately mozilla also lists 'experimental' addons which are not vetted and have had malicious code. You get a warning but how many know the real significance. I didn't until I picked up security knowledge. I never install such addons.
Userscripts are not formally vetted. Unless a script has a lot of installs I examine the code. Even so a high-install script could still have had the script-writer's account hijacked and script modified. Even if I examine a script the use of anti-detection programming means I may not see the evil. Perhaps the best bet is to examine outgoing requests with "Tamper Data" firefox addon, but a clever script will delay or infrequently send data. It's a tactical war, unfortunately. Ironically only microsoft's certificate based activeX objects really approach a real solution in developer traceability (but didn't go far enough).
It's true that a firefox addon gives an evil-doer greater exposure to potential victims, since firefox addons are generally more popular and so seem more likely to be targeted, but the firefox vetting process makes userscripts more attractive to the evil-doer since they are not vetted. Arguably a low-download userscript can still get a criminal plenty of valuable logins until it is spotted, while also giving the benefit of the relative obscurity and low community churn of userscripts, as well as a low chance of anyone code-reviewing it. You can't depend on firefox addons' popularity to protect you from evil userscripts.
As a non-developer you are dependent on other users spotting evil scripts/addons. How likely is that? Who knows. The truth is it's a crap security model.
Ultimately I use firefox for general browsing and Google Chrome (without greasemonkey/plugins) for admin purposes. Chrome also has a usable 'profiles' feature (totally separate browsing spaces) which is effectively like using different browsers. I've set up three chrome profiles to make myself even more safe: email/general-admin, banking, ebay/paypal. Firefox has unusable profiles (in my experience) but I prefer firefox as a browser which is why I still use it for uncritical browsing. Profiles also protect against old fashioned browser security holes and hacked sites, at least limiting their scope. But make sure you use different passwords. Another approach is a clean bootable ubuntu install on a USB stick for critical admin (see here http://www.geekconnection.org/remastersys/).
Jetpacks' special trust model, rather like the PGP trust network, which underlines the seriousness of this issue, should hopefully mitigate it. Jetpack is firefox's new kid on the block: a kind of super greasemonkey.