UserScripts& Greasemonkey:调用网站的JavaScript功能 [英] UserScripts & Greasemonkey: calling a website's JavaScript functions
问题描述
我为Firefox创建了一个UserScript扩展, Chrome和我试图使用网站JavaScript中的一些代码,例如:
function:myFunction(){
返回Grooveshark.playNextSong();
}
问题是当我测试这段代码时, Grooveshark
我知道还有其他人这样做过:
但是我不知道为什么我的简单扩展名不能调用Grooveshark的JavaScript函数。
我需要将我的脚本追加到文档中才能使用?:
document.document.body.appendChild(script);
不Greasemonkey注入我的扩展JavaScript已经?请问有人可以为我澄清一下。
谢谢。
Greasemonkey是否已经注入我的扩展JavaScript?请问有人能为我澄清一下。
Greasemonkey在 sandbox ,这是一个受限制的环境,无法直接访问页面中的JavaScript。早期版本的Greasemonkey将脚本直接注入页面,但是这引入了严重的安全漏洞。在旧模型中,脚本使用浏览器chrome的提升权限运行,这允许远程页面使用一些聪明的JavaScript 。这是不好的:
$ b
Greasemonkey脚本包含它们自己的GM_xmlhttprequest对象,与一般的xmlttprequest对象不同,它可以访问任何一台计算机的本地文件或对任意站点进行任意请求,而不考虑通常适用于xmlhttprequest的同一个源策略。 (source)
当您今天从Greasemonkey脚本访问窗口对象时,您得到的是包装器对象,它间接引用实际的窗口的属性。此包装对象可以安全地进行修改,但具有重要限制。访问实际的窗口对象由 unsafeWindow 提供(简写为 window.wrappedJSObject )。使用 unsafeWindow 重新打开Greasemonkey的所有原始安全问题,并且在Chrome中不可用。应该尽可能避免。
好消息:至少有两种方式可以安全地使用Greasemonkey的新安全模型。
脚本注入
现在Greasemonkey脚本可以安全地访问DOM,这对于在 使用起来很简单: 脚本注入可能在某些情况下会过度杀伤,尤其是当您需要修改页面中某个变量的值或执行单个函数时。 位置文件利用 这是一个完整的Greasemonkey脚本,演示上面的示例。 I'm creating a UserScript extension for Firefox & Chrome and I'm trying to use some of the code in the website's JavaScript, e.g.: The problem is when I test this code, I know there are other people who have done it: But I don't know why my simple extension can't call Grooveshark's JavaScript functions. Do I need to 'append' my script to the document in order for this to work?:
Doesn't Greasemonkey inject my extensions JavaScript already? Can someone clarify this for me please. Thanks.< head> 中注入< script> code>目标文档。创建一个像这样的函数:
pre $ function exec(fn){
var script = document.createElement('script' );
script.setAttribute(type,application / javascript);
script.textContent ='('+ fn +')();';
document.body.appendChild(script); //运行脚本
document.body.removeChild(script); //清理
}
exec(function(){
return Grooveshark.playNextSong();
});
位置哈克
javascript:网址访问代码在文件的内容中。这很像在Greasemonkey脚本中运行书签。
location.assign(javascript:Grooveshark.playNextSong(); void(0));
奖励脚本
// == UserScript ==
// @name内容函数测试
// @namespace lwburk
// @include http://stackoverflow.com/questions/5006460/userscripts-greasemonkey-calling-a-websites-javascript-functions
// == / UserScript ==
function exec(fn){
var script = document.createElement('script');
script.setAttribute(type,application / javascript);
script.textContent ='('+ fn +')();';
document.body.appendChild(script); //运行脚本
document.body.removeChild(script); //清理
$ b $ window.addEventListener(load,function(){
//脚本注入
exec(function(){$ b $如果你注册堆栈溢出
alert('registered?'+ isRegistered);
});
//位置破解
location.assign( javascript:alert('registered?'+ isRegistered); void(0));
},false);
function: myFunction(){
return Grooveshark.playNextSong();
}
Grooveshark is a null reference.document.document.body.appendChild(script);Background
Doesn't Greasemonkey inject my extensions JavaScript already? Can someone clarify this for me please.
Greasemonkey executes your scripts in a sandbox, which is a restricted environment without direct access to the JavaScript in the page. Earlier versions of Greasemonkey injected scripts directly into the page, but this introduced serious security vulnerabilities. In the old model, scripts ran with the elevated rights of the browser chrome, which allowed remote pages to access Greasemonkey's built-in functions using some clever JavaScript. This was bad:
Greasemonkey scripts contained their own GM_xmlhttprequest object which, unlike a normal xmlttprequest object, could access any local files one one's computer or make arbitrary requests to arbitrary sites without regard for the same origin policy that typically applies to xmlhttprequest. (source)
When you access the window object from a Greasemonkey script today, what you get is a wrapper object that indirectly references the actual window's properties. This wrapper object can be modified safely, but has important limitations. Access to the actual window object is provided by unsafeWindow (shorthand for window.wrappedJSObject). Use of unsafeWindow re-opens all of Greasemonkey's original security problems and isn't available in Chrome. It should be avoided wherever possible.
The good news: there are at least two ways to work with Greasemonkey's new security model in a safe way.
Script Injection
Now that Greasemonkey scripts can safely access the DOM, it's trivial to inject a <script> tag into the <head> of the target document. Create a function like this:
function exec(fn) {
var script = document.createElement('script');
script.setAttribute("type", "application/javascript");
script.textContent = '(' + fn + ')();';
document.body.appendChild(script); // run the script
document.body.removeChild(script); // clean up
}
It's simple to use:
exec(function() {
return Grooveshark.playNextSong();
});
Location Hack
Script injection may be overkill in some cases, especially when all you need is to modify the value of a variable in the page or execute a single function. The Location Hack leverages javascript: URLs to access code in the document's content. It's a lot like running a bookmarklet from within a Greasemonkey script.
location.assign("javascript:Grooveshark.playNextSong();void(0)");
Bonus Script
Here's a complete Greasemonkey script that demonstrates the examples above. You can run it on this page.
// ==UserScript==
// @name Content Function Test
// @namespace lwburk
// @include http://stackoverflow.com/questions/5006460/userscripts-greasemonkey-calling-a-websites-javascript-functions
// ==/UserScript==
function exec(fn) {
var script = document.createElement('script');
script.setAttribute("type", "application/javascript");
script.textContent = '(' + fn + ')();';
document.body.appendChild(script); // run the script
document.body.removeChild(script); // clean up
}
window.addEventListener("load", function() {
// script injection
exec(function() {
// alerts true if you're registered with Stack Overflow
alert('registered? ' + isRegistered);
});
// location hack
location.assign("javascript:alert('registered? ' + isRegistered);void(0)");
}, false);
这篇关于UserScripts& Greasemonkey:调用网站的JavaScript功能的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
