Chrome 用户脚本是否像 Greasemonkey 脚本一样与全局命名空间分开? [英] Are Chrome user-scripts separated from the global namespace like Greasemonkey scripts?
问题描述
我知道 Greasemonkey 脚本自动包装在匿名函数中以某种方式隔离,以防止它们与页面中的脚本发生冲突.
I know Greasemonkey scripts are automatically wrapped in anonymous functions isolated in some way in order to prevent them conflicting with scripts in the page.
Chrome 用户脚本是否也会发生同样的情况?
Does the same happen with Chrome user-scripts?
推荐答案
是的,Greasemonkey 脚本是 通常包裹在匿名函数中.而且,Chrome 用户脚本显然也是如此.
Yes, Greasemonkey scripts are normally wrapped in an anonymous function. And, Chrome userscripts apparently are too.
但是,更重要的是,Greasemonkey 脚本通常1 包裹在 XPCNativeWrapper 沙箱,而 Google Chrome 将用户脚本转换为扩展程序,而 他们在一个被 Google 称为孤立世界"的舞台上运作2.
But, more importantly, Greasemonkey scripts are usually1 wrapped in an XPCNativeWrapper sandbox, while Google Chrome converts userscripts into extensions, and they operate in an arena that Google calls an "isolated world"2.
因此,出于安全目的,您无需将脚本代码包装在匿名函数中,它们已经受到保护.
So, you don't need to wrap your script code in anonymous functions for security purposes, they're already protected.
请注意:
- 如果您将代码直接注入页面(创建一个
标记),则该代码可以被页面的 JS 看到.
- 如果您使用
unsafeWindow
,那么理论上该页面可以跟随它返回并获得稍微提升的权限.
- If you inject code directly into the page (create a
<script>
tag), then that code can be seen by the page's JS. - If you use
unsafeWindow
, then the page could theoretically follow it back and gain slightly elevated privileges.
风险非常低,而且我无法在野外找到任何记录的漏洞利用.
The risk is very low, and I haven't been able to find any documented exploits in the wild.
~~~
最重要的是,脚本在两种浏览器中都被不同程度地隔离.(而不仅仅是被包裹在匿名函数中.)
~~~
Bottom line, scripts are isolated to different degrees in both browsers. (And not merely by being wrapped in anonymous functions.)
Greasemonkey 在 Firefox 中提供了一组不错的特权功能.虽然 Chrome 中的用户脚本受到更多限制.
Greasemonkey has a nice set of privileged features available, in Firefox. While userscripts in Chrome are much more restricted.
但是,通过使用 Tampermonkey 扩展程序,GM 的大部分功能已恢复到 Chrome.
However, much of GM's functionality is restored to Chrome via use of the Tampermonkey extension.
1 自 Greasemonkey 1.0 版(2012 年 8 月 24 日),沙箱由 @grant
指令控制.如果脚本以(或默认为)@grant none
运行,则不使用沙箱.该脚本仅在私有范围内运行,正常的GM_
、API 函数将不起作用.
1 As of Greasemonkey version 1.0 (August 24, 2012), the sandbox is controlled by the @grant
directive. If the script runs with (or defaults to) @grant none
, then the sandbox isn't used. The script merely runs in a private scope and the normal GM_
, API functions will not work.
2 这听起来是不是比一些讨厌的沙盒更大/更好?(^_^)
2 Doesn't that sound so much bigger/nicer than some nasty sandbox? (^_^)
.
这篇关于Chrome 用户脚本是否像 Greasemonkey 脚本一样与全局命名空间分开?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!