[Greasemonkey] Greasemonkey and GMail

Mark Pilgrim pilgrim at gmail.com
Thu Aug 18 17:00:19 EDT 2005


On 8/18/05, Shaya Potter <spotter at cs.columbia.edu> wrote:
> > window.watch('initialCRC', function(name, oldVal, newVal) { return oldVal; });
> 
> and there's no way for a GM script to change that?  Or even better, for
> a GM script to disable the later javascript check in total!

In the general case?  No.  Another test page:

http://diveintogreasemonkey.org/experiments/detect-page-modification2.html
http://diveintogreasemonkey.org/experiments/evilrelinkify.user.js

The page not only detects that a user script has modified the page, it
also detects (and blocks) the user script's attempt to fake the
initialCRC.

It might be possible for a user script to maliciously clear the
timeout (window.setTimeout returns a numeric identifier that can be
passed to window.clearTimeout), but I don't know of a way to get a
list of all the pending timeouts, nor do I know what the possible
range of values for those identifiers is (to brute-force it by
clearing all possible timeouts).  But the page could set up multiple
traps -- for example, an onmousemove event handler -- and continuously
recheck the page to ensure "consistency".

This reminds me of the Good Old Days(tm) of copy-protected disks on
the Apple ][.  Certainly a site could serve a "monkey-protected" page.
 In fact, if Greasemonkey/Turnabout continue to gain popularity, I
would bet real money that some snake-oil salesmen will pop up out of
their slimy holes in the ground to sell their patent-pending "monkey
protection" libraries.  The only question is, which will happen first:
someone breaking the protection wide open, or an ungreased user
getting falsely accused because of a bug?

-- 
Cheers,
-Mark


More information about the Greasemonkey mailing list