Can a webpage detect a tampermonkey userscript?

后端 未结 2 1930
独厮守ぢ
独厮守ぢ 2020-12-31 16:11

My question is sort of two-fold. First, how the sandbox model works, how it impacts the userscript, what is accessible / seen from the webpage and userscrip

相关标签:
2条回答
  • 2020-12-31 16:38

    As mentioned by the answer https://stackoverflow.com/a/8548311 if you do something of the likes it is definitely detectable. But, depending on what you want to do with the tampermonkey script, it will be easier or more difficult to detect, and in some cases impossible.

    From what you are asking, it seems like what you want to make is just invoke an IIFE from the page, and just stop there, "let's say it just reads information".

    This is really tricky to capture, and usually for this, the page should have to compare profilers and execution times and such of other users against you, or some other funky things, and there is no real easy way to find out if the user executed extra JS in the page (as long as you use an IIFE) that has NO SIDE EFFECT. I am not saying that it is 100% undetectable, but let's say it's really really tricky.

    If you are going to modify the DOM, make API calls to an external or internal service, fake movements of the user or other things of this kind, you are going to be detected. So, it depends on what you want to do with the page, but you can be detected "quite easily".

    In a brief summary, can a page detect either your userscript's or tampermonkey's existence IF you don't betray it?

    Yes a page can detect these in those cases in which you leave a trace in the page (as defined above). Keep in mind that this will happen only there is a reason for the page to want to know if that is happening. Also keep in mind that no page will implement something like this just for the sake of it, so don't expect normal pages to complain about this.

    0 讨论(0)
  • 2020-12-31 16:46

    Browsers and Greasemonkey/Tampermonkey/Violentmonkey have (mostly) improved how they do injection, scoping, and sand-boxing. Userscripts are not injected using ordinary <script> tags (although your script may need to create such tags in some occasions).

    In fact, there's almost no need to use an IIFE nowadays.

    But, in addition to the detection methods in the previously linked question:

    1. In @grant none mode, if you @require a library that copies itself to window scope, the page can see it. Most libraries do not do that, but one that does is jQuery.
    2. Tampermonkey actually provides the installed script version to sites that are whitelisted in the advanced settings. This is mainly for script hosts like greasyfork.org.
    3. I don't know if a page can detect WebSockets in use by a userscript. I doubt it.

    Bottom line, is for a "read only" userscript, that does not require global libraries in @grant none mode, the page cannot detect it.
    (Unless the page is greasyfork.org, etc., and you have the Allow communication with cooperate pages setting at the default value.)

    If you discover some leak whereby a page can detect a "passive" script, let us know and chances are it can get plugged.

    0 讨论(0)
提交回复
热议问题