LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Front page

Recent Features

LWN.net Weekly Edition for June 20, 2013

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

GreaseMonkey: a two-edged sword

[Posted March 23, 2005 by corbet]

The Mozilla Firefox extension mechanism is a powerful feature; it gives browser users a great deal of flexibility in controlling how things work. One of the extensions attracting the most attention in the last few months is GreaseMonkey. It is, in fact, a classic example of why free software is a great thing, but also an illustration of how users can be invited to harm themselves.

The core idea behind GreaseMonkey is simple: it allows the user to associate JavaScript programs with specific sites on the net. When one of the identified pages (as determined by a regular expression) is loaded, the script gets a chance to rewrite things before the page is displayed. GreaseMonkey is, in other words, a mechanism which enables readers to automatically rework web pages into the form they would have liked them to be in the first place.

The GreaseMonkey script repository shows that there is a demand for this capability. Scripts have been posted which:

  • Remove articles or comments posted by specific users. Perhaps this would be a quick way to implement the comment filtering features occasionally requested for LWN.net.

  • Rewrite web pages to get rid of intrusive navigation bars, interstitial ad pages, etc. For those who want more ads, there is a script which inserts Google ads into the handful of pages on the net which do not yet have them.

  • Redirect SourceForge download links to skip the mirror selection page and simply get the requested files.

  • Delete Michael Jackson stories from certain news sites ("Best. Userscript. Ever.").

  • Rewrite Paul Graham's articles for better readability.

  • Create cross links between Netflix and IMDB.

And so on; the list appeared to be growing as this article was being written.

The operators of various web sites will, beyond doubt, get upset if GreaseMonkey use takes off. To anybody who wishes to have a high degree of control over the appearance and use of their site, GreaseMonkey will be a threat. But GreaseMonkey is a clear expression of software freedom: we will control how things work on our own computers. Our tools are written to maximize that control, and there is little that can be done about it.

GreaseMonkey does, however, potentially threaten that control in a different way. A tool which encourages users to download and run scripts from random parts of the net would appear to be an open door for security problems. If the browser's sandboxing works properly, a script should not be able to affect the system outside of the browser. But even the mere ability to rewrite HTML is asking for some trouble: how long will it be until some phisher posts a script that, while perhaps doing something useful, also redirects links within financial sites? It is not entirely clear how that sort of problem can be addressed - the same capability which can redirect all New York Times links to the "printable" version can point a password submission form to a third-party site.

In other words, while GreaseMonkey is a cool and powerful tool, it should be used with great care. Install a minimum number of scripts, look them over first, and, preferably, write them yourself. As the GreaseMonkey community grows, there will certainly be exploit attempts. Firefox is a relatively secure web browser; it would be a shame to ruin that by inviting in random malware from the net.

(Log in to post comments)

GreaseMonkey: a two-edged sword

Posted Mar 24, 2005 4:05 UTC (Thu) by flewellyn (subscriber, #5047) [Link]

I was going to say something snarky about the "Rewrite Paul Graham essays for better
readability", but then I saw the actual scripts in question. And yes, both of them do things which
I think Graham's essays benefit from enormously: change the text width, and turn the footnotes
into links.

I admit, at first I thought it would be some kind of textual munging. :-)

GreaseMonkey is ENORMOUSLY useful

Posted Mar 24, 2005 4:40 UTC (Thu) by b7j0c (subscriber, #27559) [Link]

This is an extension I have been pining for. In fact I described hypothetically the "perfect extension" to people months ago...a way of executing user-built javascript (or some other DOM-manipulation language) at sites or url pattersn I specify. Voila! Already I have scripts to remove Overture ads from yahoo pages. I remove the top matter crap from my.yahoo.com. I remove "inside Yahoo" links from Yahoo Search. Next: remove AdSense ads.

Many thanks for this excellent tool!

GreaseMonkey: a two-edged sword

Posted Mar 24, 2005 7:18 UTC (Thu) by Dom2 (guest, #458) [Link]

GreaseMonkey brings out the full potential for mozilla and friends to be more like Emacs. Very easy to customize by advanced users. I'm totally sold on the idea.

I suspect for the most part that it will remain an "advanced user" thing, so we won't have to worry too much about what actually gets downloaded. The UI could make it easier to review scripts that are already installed. But I expect that this sort of thing will happen as development progresses.

-Dom

Removing an edge

Posted Mar 24, 2005 18:37 UTC (Thu) by pm101 (guest, #3011) [Link]

I think the problem is fixable. The trick would be to install scripts with appropriate permissions. One that can modify slashdot.org should only be allowed to modify pages on slashdot.org, and not on paypal.com or bankofamerica.com. You risk having a slashdot account stolen, but not much more. Secure sites remain secure.

Skimming the web page, it looks like it already has that functionality in place, although it's not clear from the documentation whether it is secure-by-default or insecure-by-default.

Removing an edge

Posted Mar 31, 2005 9:37 UTC (Thu) by alextingle (guest, #20593) [Link]

Or just disable it completely for https:// pages.

GreaseMonkey: a two-edged sword

Posted Mar 29, 2005 9:20 UTC (Tue) by csawtell (subscriber, #986) [Link]

At last, at long last, a way of removing those idiotic background images
which make pages well neigh impossible to read. It will do that won't it?

Turning off background images

Posted Mar 31, 2005 17:48 UTC (Thu) by anton (guest, #25547) [Link]

You can turn off background images in Mozilla (and probably Firefox) through
Preferences -> Appearance -> Colors: Select "Use my chosen colors...".
The only downside I have noticed that you then don't see the IMDB photos.

Copyright © 2005, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds