用户脚本和Greasemonkey:调用网站的 JavaScript 函数 [英] UserScripts & Greasemonkey: calling a website's JavaScript functions
问题描述
我正在为 Firefox & 创建一个 UserScript 扩展Chrome 和我正在尝试使用网站 JavaScript 中的一些代码,例如:
函数:myFunction(){返回 Grooveshark.playNextSong();}
问题是当我测试这段代码时,Grooveshark
是一个空引用.
我知道还有其他人这样做了:
但我不知道为什么我的简单扩展不能调用 Grooveshark 的 JavaScript 函数.
我是否需要将我的脚本附加"到文档中才能使其工作?:document.document.body.appendChild(script);
Greasemonkey 不是已经注入我的扩展 JavaScript 了吗?有人可以帮我澄清一下吗.
谢谢.
背景
<块引用>Greasemonkey 不是已经注入我的扩展 JavaScript 了吗?有人可以帮我澄清一下吗.
Greasemonkey 在沙箱 中执行您的脚本,这是一个受限制的环境,没有直接访问页面中的 JavaScript.早期版本的 Greasemonkey 将脚本直接注入页面,但这引入了严重的安全漏洞.在旧模型中,脚本以浏览器 chrome 的提升权限运行,这允许远程页面使用一些 聪明的 JavaScript.这很糟糕:
<块引用>Greasemonkey 脚本包含它们自己的 GM_xmlhttprequest 对象,与普通的 xmlttprequest 对象不同,该对象可以访问自己计算机的任何本地文件或向任意站点发出任意请求,而无需考虑通常适用于 xmlhttprequest 的同源策略.(来源)
当您今天从 Greasemonkey 脚本访问 window
对象时,您得到的是一个 间接引用实际 window
属性的包装器对象.这个包装器对象可以安全地修改,但有重要限制.unsafeWindow
(的简写)提供了对实际窗口对象的访问window.wrappedJSObject
).使用 unsafeWindow
会重新打开 Greasemonkey 的所有原始安全问题,并且在 Chrome 中不可用.应尽可能避免.
好消息:至少有两种方法可以安全地使用 Greasemonkey 的新安全模型.
脚本注入
既然 Greasemonkey 脚本可以安全地访问 DOM,那么注入 标记到目标文档的
中.创建一个这样的函数:
function exec(fn) {var script = document.createElement('script');script.setAttribute("type", "application/javascript");script.textContent = '(' + fn + ')();';document.body.appendChild(script);//运行脚本document.body.removeChild(script);//清理}
使用起来很简单:
exec(function() {返回 Grooveshark.playNextSong();});
位置黑客
脚本注入在某些情况下可能是过度的,尤其是当您只需要修改页面中变量的值或执行单个函数时.Location Hack 利用 javascript:
URL 访问文档内容中的代码.这很像在 Greasemonkey 脚本中运行书签.
location.assign("javascript:Grooveshark.playNextSong();void(0)");
奖金脚本
这是一个完整的 Greasemonkey 脚本,用于演示上述示例.您可以在此页面上运行它.
//==用户脚本==//@name 内容功能测试//@namespace lwburk//@include http://stackoverflow.com/questions/5006460/userscripts-greasemonkey-calling-a-websites-javascript-functions//==/用户脚本==函数执行(fn){var script = document.createElement('script');script.setAttribute("type", "application/javascript");script.textContent = '(' + fn + ')();';document.body.appendChild(script);//运行脚本document.body.removeChild(script);//清理}window.addEventListener("加载", function() {//脚本注入执行(功能(){//如果您已在 Stack Overflow 上注册,则警报为真警报('注册?' + isRegistered);});//位置破解location.assign("javascript:alert('registered?' + isRegistered);void(0)");}, 错误的);
I'm creating a UserScript extension for Firefox & Chrome and I'm trying to use some of the code in the website's JavaScript, e.g.:
function: myFunction(){
return Grooveshark.playNextSong();
}
The problem is when I test this code, Grooveshark
is a null reference.
I know there are other people who have done it:
But I don't know why my simple extension can't call Grooveshark's JavaScript functions.
Do I need to 'append' my script to the document in order for this to work?:
document.document.body.appendChild(script);
Doesn't Greasemonkey inject my extensions JavaScript already? Can someone clarify this for me please.
Thanks.
Background
Doesn't Greasemonkey inject my extensions JavaScript already? Can someone clarify this for me please.
Greasemonkey executes your scripts in a sandbox, which is a restricted environment without direct access to the JavaScript in the page. Earlier versions of Greasemonkey injected scripts directly into the page, but this introduced serious security vulnerabilities. In the old model, scripts ran with the elevated rights of the browser chrome, which allowed remote pages to access Greasemonkey's built-in functions using some clever JavaScript. This was bad:
Greasemonkey scripts contained their own GM_xmlhttprequest object which, unlike a normal xmlttprequest object, could access any local files one one's computer or make arbitrary requests to arbitrary sites without regard for the same origin policy that typically applies to xmlhttprequest. (source)
When you access the window
object from a Greasemonkey script today, what you get is a wrapper object that indirectly references the actual window
's properties. This wrapper object can be modified safely, but has important limitations. Access to the actual window object is provided by unsafeWindow
(shorthand for window.wrappedJSObject
). Use of unsafeWindow
re-opens all of Greasemonkey's original security problems and isn't available in Chrome. It should be avoided wherever possible.
The good news: there are at least two ways to work with Greasemonkey's new security model in a safe way.
Script Injection
Now that Greasemonkey scripts can safely access the DOM, it's trivial to inject a <script>
tag into the <head>
of the target document. Create a function like this:
function exec(fn) {
var script = document.createElement('script');
script.setAttribute("type", "application/javascript");
script.textContent = '(' + fn + ')();';
document.body.appendChild(script); // run the script
document.body.removeChild(script); // clean up
}
It's simple to use:
exec(function() {
return Grooveshark.playNextSong();
});
Location Hack
Script injection may be overkill in some cases, especially when all you need is to modify the value of a variable in the page or execute a single function. The Location Hack leverages javascript:
URLs to access code in the document's content. It's a lot like running a bookmarklet from within a Greasemonkey script.
location.assign("javascript:Grooveshark.playNextSong();void(0)");
Bonus Script
Here's a complete Greasemonkey script that demonstrates the examples above. You can run it on this page.
// ==UserScript==
// @name Content Function Test
// @namespace lwburk
// @include http://stackoverflow.com/questions/5006460/userscripts-greasemonkey-calling-a-websites-javascript-functions
// ==/UserScript==
function exec(fn) {
var script = document.createElement('script');
script.setAttribute("type", "application/javascript");
script.textContent = '(' + fn + ')();';
document.body.appendChild(script); // run the script
document.body.removeChild(script); // clean up
}
window.addEventListener("load", function() {
// script injection
exec(function() {
// alerts true if you're registered with Stack Overflow
alert('registered? ' + isRegistered);
});
// location hack
location.assign("javascript:alert('registered? ' + isRegistered);void(0)");
}, false);
这篇关于用户脚本和Greasemonkey:调用网站的 JavaScript 函数的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!