Switching off `@grant none` breaks my Greasemonkey script?

Question

I\'m running this script on the Facebook homepage. It gets all the conversations in the dock in the bottom and gets their __FB_TOKENs.

// ==User         


        

Answer 1

When you switch from @grant none to @grant GM_xmlhttpRequest, Greasemonkey switches the sandbox back on, as a side-effect.
_{(Frankly, all GM developers and scripts should always run with the sandbox on anyway -- with extremely rare exceptions. This avoids "Time bomb" coding problems and head-scratchers like this question.)}

JavaScript objects, arrays, variables, and functions cannot cross the sandbox. But unsafeWindow is provided to the Greasemonkey scope as a limited workaround.

Also important for this question:

1. Greasemonkey (and Firefox) just shut down some of the previously possible solutions using unsafeWindow.
2. jQuery is a special case and is extra difficult to use to bring non-DOM objects across the sandbox.

Solution:

1. Since __FB_TOKEN is an array, you must use unsafeWindow to get it across the sandbox.
2. Trying to use jQuery in this case gives an unacceptably high headache-to-results ratio; so use plain DOM methods.

Putting it all together the script becomes:

// ==UserScript==
// @name        _MyScript
// @namespace   MyNameSpace
// @include     /https?://(www.)?facebook.com(/.*)?/
// @require     http://code.jquery.com/jquery-2.1.0.min.js
// @version     0.0.0
// @grant       GM_xmlhttpRequest
// ==/UserScript==
(function () {
    // Don't run on frames or iframes
    if (window.top != window.self) {
        return;
    }
    window.addEventListener ('load', function () {
        /*--- This unsafeWindow is key. After that, don't use any jQuery
            while trying to get at javascript objects like __FB_TOKEN.
        */
        var element = unsafeWindow.document.querySelector (
            '.fbNubGroup.clearfix.videoCallEnabled'
        );
        /*-- Used console.info to make it easier to spot messages buried
            in all the Facebook console crud.
        */
        console.info ('SCRIPT ELEMENT: ', element);

        var children = element.children;
        console.info ('SCRIPT CHILDREN: ', children);

        for (var i = 0; i < children.length; i++) {
            var child = children[i];
            console.info ('SCRIPT CHILD: ', child);

            /*
            child :
              Object [div.someClasses]
                + 0: div.someClasses
                  + __FB_TOKEN: [ 267 ]
            */
            console.info ('SCRIPT CHILD: ', child);
            console.info ('SCRIPT CHILD.__FB_TOKEN:', child.__FB_TOKEN);

            var key = child.__FB_TOKEN[0];
            console.info ('SCRIPT KEY: ', key);
        }
    }, false);
} ) ();