[Greasemonkey] Greasemonkey and GMail

Mark Pilgrim pilgrim at gmail.com
Thu Aug 18 17:00:19 EDT 2005

On 8/18/05, Shaya Potter <spotter at cs.columbia.edu> wrote:
> > window.watch('initialCRC', function(name, oldVal, newVal) { return oldVal; });
> and there's no way for a GM script to change that?  Or even better, for
> a GM script to disable the later javascript check in total!

In the general case?  No.  Another test page:


The page not only detects that a user script has modified the page, it
also detects (and blocks) the user script's attempt to fake the

It might be possible for a user script to maliciously clear the
timeout (window.setTimeout returns a numeric identifier that can be
passed to window.clearTimeout), but I don't know of a way to get a
list of all the pending timeouts, nor do I know what the possible
range of values for those identifiers is (to brute-force it by
clearing all possible timeouts).  But the page could set up multiple
traps -- for example, an onmousemove event handler -- and continuously
recheck the page to ensure "consistency".

This reminds me of the Good Old Days(tm) of copy-protected disks on
the Apple ][.  Certainly a site could serve a "monkey-protected" page.
 In fact, if Greasemonkey/Turnabout continue to gain popularity, I
would bet real money that some snake-oil salesmen will pop up out of
their slimy holes in the ground to sell their patent-pending "monkey
protection" libraries.  The only question is, which will happen first:
someone breaking the protection wide open, or an ungreased user
getting falsely accused because of a bug?


More information about the Greasemonkey mailing list