Include and exclude rules
The script will execute if it matches any include rule, as long as it does not match an exclude rule.
The rules are URLs, which can have a "wildcard" asterisk (*), which matches any string including the empty string. For example:
http://www.example.com/foo/* will match:
Include and exclude rules support the
* or globbing operator.
* serves as a wildcard that matches one or more of any character.
A rule can have several wildcards or none, in which case the rule must match the entire URL exactly.
Exclude rules look the same, and prevent the script from being executed.
// ==UserScript== // @include http://www.example.com/foo/* // @include http://www.example.org/*.bar // @exclude http://www.example.com/foo/baz // ==/UserScript==
If no include rule is provided,
@include * is assumed.
That is: every URL will be matched, within the allowed Greaseable schemes.
As of Greasemonkey 0.9.8, support for full regular expressions in include and exclude rules was added.
If the rule both starts and ends with a forward-slash (
/) character, the contents inside those slashes are interpreted as a a regular expression.
// ==UserScript== // @include /https?://www.example.com/*/ // @include /http://www.example.(org|net)/*/ // ==/UserScript==
new RegExp(), so you do not need to escape forward slashes inside the rule.
- The rule is always treated as case insensitive.
Greasemonkey will run scripts only on documents loaded from particular schemes. By default, those are:
.protocol property of any abstract
link element such as
<link>, or a DOM object such as
Greasemonkey will also run scripts on:
- Only if
greasemonkey.fileIsGreaseableis set to
- Only if
greasemonkey.aboutIsGreaseableis set to
(But about:blank is always allowed.)
In both cases this restriction is intended to prevent security/privacy vulnerabilities.
The only special syntax besides the wildcard is .tld. An include such as
http://www.example.tld/* will match any top level domain, such as
www.example.co.uk, and so on. One must be careful with this, to not accidentally leak data to a site that they did not mean to match. This list of TLDs includes a myriad of dual-segment TLDs (such as ca.us, aeroport.fr and kyoto.jp), beside the plain country or category codes (com, jp, se). For a full list see the Magic TLD page.
Data scheme user scripts
Browsers can open windows in which all of the page top content is contained in a data scheme URI. For example, the below URI will display a HTML page that indirectly includes an image from google.com as its sole content:
data:text/html;charset=utf-8,<html><head><title>data: test</title></head><body><img src='http://www.google.com/intl/en_ALL/images/logo.gif'></body></html></pre>
This link points to the above data URI and can be clicked to see it in action.
Firefox ignores unknown semicolon separated parameters in the header of a
data URI (and the standards seem to leave this possibility open) which means if one adds say the string
MyScript; in the header of the above URI, giving:
one can then use Include and exclude rules such as
to trigger user scripts to run on a subtype of
This ability can be useful if a user script creates one or more
data URIs and then opens them. Augmenting the URIs with some extra marking can cause specific user scripts to run in their windows. For example, a user script can create a
data URI that contains a HTML
table and trigger a user script for it that allows the user sort it.