如何为其他用户远程启用/禁用tampermonkey脚本 [英] How to remotely Enable/Disable a tampermonkey script for other users

问题描述

我创建了一个tampermonkey脚本，我想与朋友分享.有什么办法可以远程禁用它并使它不起作用，以便他不再使用它?

I have created a tampermonkey script and I would like to share it to a friend. Is there any way to disable it remotely and make it non functional so he can no longer use it?

我正在考虑服务器中的.txt文件，其中包含特定值.这将用作令牌.仅当令牌与服务器匹配时，我的脚本才起作用.因此，我可以随时更改令牌，以使脚本对我的朋友不起作用.

I am thinking of something like a .txt file in my server with a specific values in it. This will serve as a token. My script will only work only if the token matches with the server. Thus, i could change the token anytime making the script non functional to my friend.

任何想法怎么可能:)谢谢！

Any idea how can it be possible :) Thanks!

推荐答案

我正在考虑服务器中的.txt文件，其中包含特定值

I am thinking of something like a .txt file in my server with a specific values in it

这是一个主意-确保服务器的端点具有Access-Control-Allow-Origin * ，以便可以通过Javascript在任何地方对其进行请求，并让您的用户脚本对其进行请求，然后进行检查火柴.但是，如果您的朋友根本不懂任何Javascript，就可以轻松绕开它.

That's one idea - make sure your server's endpoint has Access-Control-Allow-Origin * so that it can be requested via Javascript from anywhere, and have your userscript request it, then check that it matches. But if your friend knows any Javascript at all, this will be trivially easy to bypass.

我认为更好的方法是将主要源代码仅保留在服务器上.这样，如果脚本停止工作，用户将无法打开它并进行调试.考虑让您的服务器提供主要脚本内容，并让用户脚本执行响应:

I think a better method would be keep the main source code only on your server. This way, if the script stops working, users can't just open it up and debug. Consider having your server serve the main script content, and have the userscript execute the response:

fetch('serverEndpoint')
  .then(res => res.text())
  .then((text) => {
    eval(text);
  });

尽管这可以实现您的目标，但是对于用户脚本的用户来说，这是非常不安全的，因为现在您可以在他们的计算机上运行任意代码.如果我看到这样的用户脚本，则不经思索就将其标记为不可信.

While this can accomplish your goal, it's very unsafe for users of your userscript, since now you have the ability to run arbitrary code on their machines. If I saw a userscript like this, I would mark it as untrustworthy without a second's thought.

另一种方法是对用户脚本中的代码进行加密，以便只有从服务器请求密钥才能对其进行解密和运行.这对于用户来说会更安全，但是如果他们看不到脚本的实际作用，那么他们可能就不会信任它-如果他们了解足够的Javascript，则可以窥视服务器的响应并解码源代码自己.

Another method would be to encrypt your code in the userscript such that only by requesting a key from your server can it be decrypted and run. This would be safer for users, but if they can't see what the script is actually doing, they might not trust it - and if they know enough Javascript, they'll be able to peek at your server's response and decode your source code themselves.

这篇关于如何为其他用户远程启用/禁用tampermonkey脚本的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！