javascript 网站可以知道我是否正在运行用户脚本吗?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/8548141/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Can a website know if I am running a userscript?
提问by vkefallinos
Can, for example, Facebook.com run a version control script on my browser and find out if I am running altered HTML code with the use of a script?
例如,Facebook.com 是否可以在我的浏览器上运行版本控制脚本,并使用脚本查看我是否正在运行更改过的 HTML 代码?
Could that be done with a script that can read the HTML code in the cache and produce some kind of hash tag that is sent back to the server and compared with the code that was sent to the client?
是否可以使用一个脚本来完成,该脚本可以读取缓存中的 HTML 代码并生成某种散列标签,然后将其发送回服务器并与发送到客户端的代码进行比较?
回答by Brock Adams
Yes, in theory, a site can deduce the presence of scripts in various situations.
是的,理论上,一个站点可以在各种情况下推断出脚本的存在。
This is not foolproof and usually is way too much trouble for the negligible "threat" to the site. (Then again, some webmasters can be obsessive-paranoids about such things. ;) )
这不是万无一失的,通常对于站点的微不足道的“威胁”来说太麻烦了。(话又说回来,有些网站管理员可能对此类事情过于偏执。;))
Some methods, depending on what the script does (in no particular order):
一些方法,取决于脚本的作用(无特定顺序):
Gaming or auction sites can monitor the timing (speed and regularity) of "bid" clicks.
A site can AJAX-back the count of say,
<script>nodes, looking for extras.Similarly, a site can AJAX-back any or all of the content of a page and compare that to expected values.
Extra AJAX calls, or AJAX calls that don't meet hidden requirements can be noted (and allowed to appear to succeed).
If the script uses
unsafeWindowin just the right (wrong) way, a page can detect that and even hiHyman (slightly) elevated privileges."Clicks" that were not preceded by mouseover events can be detected. I've actually seen this used in the wild.
A page's javascript can often detect script-generated clicks (etc.)as being different than user generated ones. (Thanks, c69, for the reminder.)
游戏或拍卖网站可以监控“出价”点击的时间(速度和规律)。
一个站点可以 AJAX 支持说
<script>节点的数量,寻找额外的东西。同样,站点可以 AJAX 支持页面的任何或所有内容,并将其与预期值进行比较。
额外的 AJAX 调用或不满足隐藏要求的 AJAX 调用可以被记录下来(并允许看起来成功)。
如果脚本以
unsafeWindow正确(错误)的方式使用,页面可以检测到,甚至劫持(稍微)提升的权限。可以检测到不是鼠标悬停事件之前的“点击”。我实际上已经看到它在野外使用。
页面的 javascript 通常可以检测到脚本生成的点击(等)与用户生成的点击不同。(感谢c69的提醒。)
Ultimately, the advantage is to the userscript writer, however. Any counter-measures that a webpage takes can be detected and thwarted on the user end. Even custom, required plugins or required hardware dongles can be subverted by skilled and motivated users.
然而,最终优势在于用户脚本编写者。网页采取的任何对策都可以在用户端被检测到并阻止。即使是自定义的、必需的插件或必需的硬件加密狗,也可能被熟练和有动力的用户破坏。
回答by erikvold
Update: The methods below are fully ineffective as of Greasemonkey 3.3.
更新:从Greasemonkey 3.3 开始,以下方法完全无效。
See (Dead link) How-to Detect Greasemonkey.
请参阅(死链接)How-to Detect Greasemonkey。
Javascript to detect if GM is installed(but not whether a script is actually running on that page):
用于检测是否安装了GM 的 Javascript (但不是脚本是否实际在该页面上运行):
Obsolete Option 1:
过时的选项 1:
if (Components.interfaces.gmIGreasemonkeyService) {
alert("I smell a monkey!");
}
Obsolete Option 2:
过时的选项 2:
<script type="text/javascript" src="resource://greasemonkey/addons4.js"></script>
<script type="text/javascript">
if (typeof GM_addonsStartup !== "undefined") {
alert("I smell a monkey!");
}
</script>
