![]() The reason it is unsafe is not because of being detected or not, but because you are able to potentially give the untrusted page access to privileged GM_* functions in this mode, (which are not granted in regular mode, which means that GM_* for any function will isolate the js context, and you'll lose access to the page's js context unless you unsafeWindow) Second unsafeWindow.foo = 'bar' ) will still be detectable. Obviously, any changes you make to the DOM or page js context (e.g. document returns the regular page document rather than you needing to say unsafeWindow.document. You will have regular access to the DOM, e.g. My understanding is, if you use unsafeWindow, your script will be isolated in its own js context, anything you do to window will NOT be seen by the webpage, BUT you can access the webpage and javascript through unsafeWindow. IF you make any changes to the javascript and/or DOM, it is possibly detectable by the page. Second, how scripts are injected into the page, and can the page detect it? Firstįrom what I can see, when you use none, the sandbox is disabled and you will have access to the webpage and its javascript. First, how the sandbox model works, how it impacts the userscript, what is accessible / seen from the webpage and userscript point of view, and if using a different sandbox model affects the page being able to notice your script being injected into the page (or not).
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |