网页可以检测到篡改用户脚本吗? [英] Can a webpage detect a tampermonkey userscript?

问题描述

我的问题有两个方面. 首先，沙盒模型如何工作，如何影响用户脚本，从网页和用户脚本的角度可以访问/看到的内容，以及如果使用其他沙盒模型也会影响该页面，从而能够注意到您的脚本被注入页面(或不被注入). 第二，如何将脚本注入到页面中，并且页面可以检测到它?

My question is sort of two-fold. First, how the sandbox model works, how it impacts the userscript, what is accessible / seen from the webpage and userscript point of view, and if using a different sandbox model affects the page being able to notice your script being injected into the page (or not). Second, how scripts are injected into the page, and can the page detect it?

据我所见，当您使用@grant none时，沙箱被禁用，您将可以访问该网页及其javascript.如果您对javascript和/或DOM进行了任何更改，则该页面可能会检测到它.

From what I can see, when you use @grant none, the sandbox is disabled and you will have access to the webpage and its javascript. IF you make any changes to the javascript and/or DOM, it is possibly detectable by the page.

我的理解是，如果您使用@grant unsafeWindow，则脚本将被隔离在其自己的js上下文中，您对window所做的任何操作都不会被网页看到，但是您可以通过unsafeWindow.您将可以定期访问DOM，例如document返回常规页面文档，而不需要您说unsafeWindow.document.显然，您对DOM或页面js上下文所做的任何更改(例如unsafeWindow.foo = 'bar';)仍然可以检测到.它是unsafe的原因不是因为是否被检测到，而是因为您可以在此模式下(可能不会在常规模式下授予)授予潜在的不受信任的页面访问特权GM_*函数的权限. @grant GM_*用于任何功能都会隔离js上下文，除非您@grant unsafeWindow)

My understanding is, if you use @grant unsafeWindow, your script will be isolated in its own js context, anything you do to window will NOT be seen by the webpage, BUT you can access the webpage and javascript through unsafeWindow. You will have regular access to the DOM, e.g. document returns the regular page document rather than you needing to say unsafeWindow.document. Obviously, any changes you make to the DOM or page js context (e.g. unsafeWindow.foo = 'bar';) will still be detectable. The reason it is unsafe is not because of being detected or not, but because you are able to potentially give the untrusted page access to privileged GM_* functions in this mode, (which are not granted in regular mode, which means that @grant GM_* for any function will isolate the js context, and you'll lose access to the page's js context unless you @grant unsafeWindow)

如何将脚本注入页面?网页是否可能注意到用户脚本注入(假设用户脚本修改了页面上的NOTHING).

How are scripts injected into the page? Is it possible that the webpage can notice the userscript injection (assuming the userscript modifies NOTHING on the page).

例如，如果脚本是使用script标签注入的，我认为该页面可能会注意到脚本注入，甚至可以查看其代码?

For example, if a script was injected using a script tag, I think the page could possibly notice the script injection, even get a look at its code?

沙盒模型在这种情况发生时是否具有任何作用，并使其变得更安全"?看不见?例如，如果您使用@grant unsafeWindow隔离了js上下文，则网页上的js甚至都看不到任何用户脚本加载事件，从而使@grant unsafeWindow从根本上更加安全，除非您去修改DOM或unsafeWindow当然.

Does the sandbox model have any role in the way this happens, and make it "safer" to not be seen? For example, if the js contexts are isolated if you use @grant unsafeWindow, then perhaps the js on the webpage can't even see any userscript load event, making @grant unsafeWindow fundamentally safer, UNLESS you go modifying the DOM or unsafeWindow of course.

我还假设没有泄漏特殊功能，对象，属性等(例如GM_info到网页，这会背叛tampermonkey的存在?).既不在@grant none模式下也不在@grant unsafeWindow模式下(前提是您没有向页面泄漏任何内容)

I'm also assuming that there's no leak of special functions, objects, properties, etc (such as GM_info to the webpage which would betray the existence of tampermonkey?). Neither in @grant none mode or @grant unsafeWindow mode (provided you didn't leak anything to the page)

这让我感到，只要不进行任何修改(尤其是不要公开特权GM_*)，就不会检测到unsafeWindow实际上更安全(因为js上下文是隔离的).函数到unsafeWindow). 例如，如果您在@grant none模式下使用了eventListener，则可能会检测到它，但是如果在@grant unsafeWindow模式下使用了eventListener，是否可能由于隔离而无法检测到它?此外，如果某个页面有可能检测到用户脚本加载(我不知道这是否可能实现)，那么它将不知道js上下文是否被隔离

This lets me feel that unsafeWindow is actually safer in terms of not being detected (because the js contexts are isolated), as long as you don't go modifying anything (and especially DON'T expose privileged GM_* functions to unsafeWindow). For example, if you used an eventListener on @grant none mode, it may possibly be detected, but if you use it in @grant unsafeWindow mode, it may not be detected because of the isolation? Furthermore, IF it was possible for a page to detect the userscript loading (I don't know if this is actually possible or not), it wouldn't know if the js contexts are isolated

在简短的摘要中，如果您不背叛页面，那么页面是否可以检测到用户脚本或tampermonkey的存在?

我的上述任何想法在任何地方都不正确吗?如果是，那么它实际上是如何工作的?

一些需要澄清的信息:

用户脚本仅从页面被动地读取信息(可能使用MutationObserver).它不会以任何方式改变任何内容，不使用任何js库(既不在用户脚本中也不从网页中使用)，没有ajax调用，没有脚本节点，绝对没有单击等.该脚本可以从JS vars中读取一些信息页面(假设那些变量和函数没有被诱杀式诱骗)，以及使用WebSocket(内部服务).也使用IIFE.因此，主要的问题是，是否可以检测到篡改猴本身(如果运行页面脚本)()?

A userscript only reads information passively from the page (perhaps using a MutationObserver). It doesn't alter anything in any way, does not use any js libraries (neither from the userscript nor from the webpage) no ajax calls, no script nodes, definitely no clicks, etc. The script MAY read some information from JS vars on the page (let's assume those vars and functions are not booby trapped), as well as using a WebSocket (internal service). Using an IIFE too. So the question mostly is, is tampermonkey in and of itself (and if it runs a page script) detectable?

在此答案中: https://stackoverflow.com/a/8548311 我可以排除1、4、5、6和7；大概也是2和3，但我不知道坦佩罗尼本身是否会影响其中的任何一个

In this answer: https://stackoverflow.com/a/8548311 I can rule out 1, 4, 5, 6, and 7; probably 2 and 3 as well, but I don't know if tampermonkey in and of itself would affect any of these

推荐答案

(大多数)浏览器和Greasemonkey/Tampermonkey/Violentmonkey已改进了它们进行注入，作用域和沙箱处理的方式.用户脚本不是使用普通的<script>标记注入的(尽管您的脚本可能在某些情况下可能需要创建此类标记).

Browsers and Greasemonkey/Tampermonkey/Violentmonkey have (mostly) improved how they do injection, scoping, and sand-boxing. Userscripts are not injected using ordinary <script> tags (although your script may need to create such tags in some occasions).

事实上，几乎不需要现在使用IIFE .

但是，除了先前链接的问题:

1. 在@grant none模式下，如果您@require将其自身复制到window范围的库，则页面可以看到它.大多数库都不会这样做，但是可以做到的就是 jQuery .
2. Tampermonkey实际上向高级设置中列入白名单的网站提供了已安装的脚本版本. .这主要是针对脚本宿主，例如greasyfork.org.
3. 我不知道页面是否可以检测到用户脚本正在使用的WebSocket.我对此表示怀疑.

1. In @grant none mode, if you @require a library that copies itself to window scope, the page can see it. Most libraries do not do that, but one that does is jQuery.
2. Tampermonkey actually provides the installed script version to sites that are whitelisted in the advanced settings. This is mainly for script hosts like greasyfork.org.
3. I don't know if a page can detect WebSockets in use by a userscript. I doubt it.

最底行是对于只读"用户脚本，它不是require全局库，在@grant none模式下，页面无法检测到它.
(除非页面是greasyfork.org等，并且您将Allow communication with cooperate pages设置设为默认值.)

Bottom line, is for a "read only" userscript, that does not require global libraries in @grant none mode, the page cannot detect it.
(Unless the page is greasyfork.org, etc., and you have the Allow communication with cooperate pages setting at the default value.)

如果发现页面 可以检测到被动"脚本的泄漏，请通知我们，并有可能被堵塞.

If you discover some leak whereby a page can detect a "passive" script, let us know and chances are it can get plugged.

这篇关于网页可以检测到篡改用户脚本吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！