Greasemonkey Manual:Environment: Difference between revisions

From GreaseSpot Wiki
Jump to navigationJump to search
Marti (talk | contribs)
m Moved heading levels down here
Marti (talk | contribs)
m →‎What's Missing?: Link into API core for XPathResult exposed
Line 33: Line 33:
* <code>window</code> is an [[XPCNativeWrapper|XPCNW]] of the content window.
* <code>window</code> is an [[XPCNativeWrapper|XPCNW]] of the content window.
** <code>document</code> is the document object of that (XPCNW) window object.
** <code>document</code> is the document object of that (XPCNW) window object.
* [http://www.xulplanet.com/references/objref/XPathResult.html XPathResult] is added, so that <code>document.evaluate()</code> works.
* [[XPathResult]] is added, so that <code>document.evaluate()</code> works.
* The entire script is contained inside an [http://en.wikipedia.org/wiki/Anonymous_function anonymous function], to guarantee each script is isolated from any other.
* The entire script is contained inside an [http://en.wikipedia.org/wiki/Anonymous_function anonymous function], to guarantee each script is isolated from any other.
** This means <code>window</code> is not the normal "global" scope.  After <code>var i=5;</code>, <code>window['i']</code> is not 5, it is not even set!
** This means <code>window</code> is not the normal "global" scope.  After <code>var i=5;</code>, <code>window['i']</code> is not 5, it is not even set!

Revision as of 01:12, 4 January 2009


Greasemonkey Manual
Using Greasemonkey
Installing Scripts
Monkey Menu
Getting Help
User Script Authoring
Editing
Environment
API

Why a Special Environment?

When Greasemonkey executes a user script it does so in a special sandbox environment. Greasemonkey takes advantage of a Firefox feature called XPCNativeWrappers to insulate the user script from the content web page, which it references.

Although this makes it more difficult, or impossible, to do certain things in your script, it is a necessary evil. Earlier versions of Greasemonkey had no such sandbox, and as a result, security holes were uncovered.

Greasemonkey provides certain enhanced APIs to the user script, so that it may accomplish things that a regular web page's javascript cannot. This useful feature has enabled some of the most popular scripts. Unfortunately, when abused, these powerful features can create serious problems. No exploits were ever uncovered in the wild, but the potential was too great, so the sandbox environment was created.

Luckily, for almost all the difficulties that the sandbox environment provides, there are ways to still accomplish the desired goal. The article Avoid Common Pitfalls in Greasemonkey does a wonderful job explaining what the most common snags are, and for each one explains the way to work around the problem. It is essential reading for any script author.

Finally, of note is the unsafeWindow object present in the sandbox. As the name implies, use of this object is unsafe! This is the raw, un-sandboxed "window" of the content page. Certain limited tasks can only be accomplished by referencing this raw window directly, but be warned! Javascript is a complicated and intricate language, even the most basic operations can be redefined by the content page to perform other actions. The sandbox environment is provided for your safety, and the safety of any user of your script. If at all possible, use of unsafeWindow should be avoided.

What's Missing?

Depending on your usage, the special Greasemonkey environment may seem perfectly normal, or excessively limiting. The Greasemonkey environment is a vanilla XPCNativeWrapper of the content window, with only certain extra bits added in to emulate a normal environment, or changed. Specifically:

  • window is an XPCNW of the content window.
    • document is the document object of that (XPCNW) window object.
  • XPathResult is added, so that document.evaluate() works.
  • The entire script is contained inside an anonymous function, to guarantee each script is isolated from any other.
    • This means window is not the normal "global" scope. After var i=5;, window['i'] is not 5, it is not even set!

Since Mozilla provides a rich environment, there are a wide variety of things that have not been imported from the general content scope into the Greasemonkey sandbox. Including, but not limited to:

And so on. The more esoteric the method, the less likely that it has been included in the Greasemonkey sandbox.

See also