Chrome用户脚本是否与Greasemonkey脚本等全局名称空间分开？ [英] Are Chrome user-scripts separated from the global namespace like Greasemonkey scripts?

问题描述

我知道Greasemonkey脚本以某种方式自动包裹在匿名函数中，以防止它们与页面中的脚本冲突。

与Chrome用户脚本一样吗？

解决方案

是的，Greasemonkey脚本是通常包装在一个匿名函数中。并且， Chrome用户脚本显然也是。然而，更重要的是，Greasemonkey脚本通常是 ¹ 封装在 XPCNativeWrapper 沙盒中，而Google Chrome将用户脚本转换为扩展，并且它们在Google称之为孤立的竞技场中运行世界 ² 。

因此，出于安全目的，您不需要将脚本代码包含在匿名函数中，它们'b已经受到保护。

请注意：

1. 直接进入页面（创建< script> t这个代码可以被页面的JS看到。


2. 如果你使用 unsafeWindow ，那么页面理论上可以遵循它返回并获得轻微提升的权限。
   

风险非常低，我一直无法在野生。

~~~

底线，两个浏览器中的脚本都会有不同程度的隔离。 （而不仅仅是被匿名函数包装）。

Greasemonkey具有一组不错的特权功能。尽管Chrome中的用户脚本受到了更多限制。

然而，通过使用 Tampermonkey扩展。

---

¹ 由于 Greasemonkey 1.0版（2012年8月24日），沙盒由 @grant 指令。如果脚本以（或默认为） @grant none 运行，则不使用沙箱。该脚本仅运行在私人范围内，并且正常的 GM _ API函数不起作用。

² 这听起来不像一些讨厌的沙箱那么大吗？ （^ _ ^）

。

I know Greasemonkey scripts are automatically wrapped in anonymous functions isolated in some way in order to prevent them conflicting with scripts in the page.

Does the same happen with Chrome user-scripts?

解决方案

Yes, Greasemonkey scripts are normally wrapped in an anonymous function. And, Chrome userscripts apparently are too.

But, more importantly, Greasemonkey scripts are usually¹ wrapped in an XPCNativeWrapper sandbox, while Google Chrome converts userscripts into extensions, and they operate in an arena that Google calls an "isolated world"².

So, you don't need to wrap your script code in anonymous functions for security purposes, they're already protected.

Just beware that:

1. If you inject code directly into the page (create a <script> tag), then that code can be seen by the page's JS.
2. If you use unsafeWindow, then the page could theoretically follow it back and gain slightly elevated privileges.

The risk is very low, and I haven't been able to find any documented exploits in the wild.

~~~
Bottom line, scripts are isolated to different degrees in both browsers. (And not merely by being wrapped in anonymous functions.)

Greasemonkey has a nice set of privileged features available, in Firefox. While userscripts in Chrome are much more restricted.

However, much of GM's functionality is restored to Chrome via use of the Tampermonkey extension.

---

¹ As of Greasemonkey version 1.0 (August 24, 2012), the sandbox is controlled by the @grant directive. If the script runs with (or defaults to) @grant none, then the sandbox isn't used. The script merely runs in a private scope and the normal GM_, API functions will not work.

² Doesn't that sound so much bigger/nicer than some nasty sandbox? (^_^)

.

这篇关于Chrome用户脚本是否与Greasemonkey脚本等全局名称空间分开？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！