[Greasemonkey] Making NoScript and Greasemonkey work together - a proposal.

Mackey Stingray mackys at gully.org
Wed Sep 13 04:06:42 EDT 2006 

  I'd very much like to use GM upon web pages that I also use NoScript
upon. Currently this doesn't work, and the reason it doesn't is that GM
inserts a "<script>" tag into the web page's document object and then
just assumes that the code in the tag will run:

  function runBrowserScript(doc, jscode) {
    var elm = doc.createElement("script");
    elm.appendChild(doc.createTextNode(jscode));
    doc.body.appendChild(elm);
    doc.body.removeChild(elm);
  }

  - From GM's browser.xul

  Now obviously if NoScript is preventing JScript on a page from
running, this won't work.

  There's an easy way around this that you already know about. Instead
of inserting the code into the page by inserting a <script> element,
the code could be called by adding a "DOMContentLoaded" (or "load")
listener to the page's document object:

function runBrowserScript(doc, jscode) {
  var content = doc.getElementById("appcontent");
  if(content) {
    content.addEventListener("DOMContentLoaded", function(){ jscode }, false);
 }
}

  This trick is certainly known, because it's used higher up in
browser.xul to insert the greaseLoad() function into every web page.

  So, my question is, why haven't we taken the obvious step of using
a DOMContentLoaded eventListener to run GM scripts over NoScript's head?
The NoScript FAQ page references a Moz bug that disables chrome:// XBL
routines when the page is JScript disabled. But I'm not sure how that's
relevant. Code running in browser.xul doesn't seem to have this limitation,
or else the right-click context menu wouldn't work on a JScript disabled
web page. Can't we use a similiar mechanism to run user-specified
greasemonkey scripts? And if getting GM to run scripts despite NoScript
is impossible, then how does AdBlock+ get away with altering document
elements in spite of NoScript?


  Assuming this can be made to work, there are other issues. Security
is a huge one. Having a piece of random JScript that a user downloaded
from a random website is dangerous enough when it's running in the
theoretically somewhat secure context of the web page. There's
tremendous potential for every kind of damage imaginable when JScript
runs with the same privleges as browser chrome. Possibly there
need to be both "normal" and "high privlege" GM scripts.

  There may also be some JavaScript scope chain issues, due to the
differences between how the DOM 2 standards vs. older standards specify
scope chain for event handlers.


  Alright experts, lay it on me: How come we can't make GM work
with (or in spite of) NoScript?


          -Ben

More information about the Greasemonkey mailing list