dean.edwards.name/weblog/2005/03/ungreased/

How To Disable GreaseMonkey On Your Web Site

Sorry Aaron. I like GreaseMonkey. I really do. Let me explain.

You see, GreaseMonkey broke my site. I didn’t realise what the problem was at first. I use a JavaScript syntax highlighter to make code on this site look slightly less boring. It uses some regular expressions and a little bit of DOM scripting. After installing GreaseMonkey I noticed that some of my code samples were completely broken in Firefox.

The trouble was, that one of the default GreaseMonkey user scripts (linkify) was altering the DOM before my script got there. The DOM my script was expecting to see wasn’t the DOM it got. GreaseMonkey can break DOM scripting.

This is a problem we are going to see more of (User scripts come to Opera as of version 8.0 beta 3). The solution to this is to use defensive scripting. Script authors will now have to account for the fact that someone else may be messing with their DOM. Code accordingly.

There are extreme cases of course. Cases where you just don’t want your DOM screwed with. What you really want to do is disable GreaseMonkey. Turn the bloody thing off.

Here you go:

 document._createElement = document.createElement;
 document.createElement = function(tagName, password) {
    if (tagName != "SCRIPT" || password == "My scripts are OK!") {
        return document._createElement(tagName);
    }
 };

Insert that little script in your page and GreaseMonkey is no more. The downside is of course, advertisers can do this too…

Comments (53)

Leave a comment

While this is a way out for Greasemonkey, you’ll have no way out with Opera, as Opera has every option of rewriting your script before it executes, using the BeforeScript and BeforeExternalScript events.

  • Comment by: Arve
  • Posted:

This is a heads-up to the browser developers I guess. Leave a back-door please! We won’t always use it but it’s nice to know it’s there…

  • Comment by: -dean
  • Posted:

Why is it that some people don’t realise that what a user does to content they download is their own business?

Just add a little warning saying “if this looks bad, try turning user scripts off” and be done with it.

  • Comment by: Tom
  • Posted:

So, Opera’s giving me yet another reason to pay it only the mildest of attention while I’m developing, then?

  • Comment by: John Y.
  • Posted:

I think the larger issue here is scripts that are turning DOM compliant browsers into non-compliant ones.

I’d like to see less of the “Emulate IE” in other browsers, and more “Emulate true standards” in IE.

  • Comment by: Patrick.Denny
  • Posted:

Er, John. No. You are however encouraged to develop with standards, trust that you do the right thing, and not care particularily whether a user script will conflict with your sites/pages/application: Users have chosen to add these scripts themselves, and they should be able to turn them off entirely by themselves as well. Besides, apart from site fixes, this is a feature that will only ever be used by a tiny minority of the users, just like only a tiny percentage of users create user stylesheets.

  • Comment by: Arve
  • Posted:

“Cases where you just don’t want your DOM screwed with.” -quote

“Your DOM”? I am sorry, but once your code leaves your server, it is no longer “your DOM” but the “user’s DOM” and they can screw with it as they please.

Deal with all possibilities, but don’t *limit* a user’s palette of abilities. I thought we all went through this already with things like disabling right click and target=”_blank” ?

  • Comment by: GreyWyvern
  • Posted:

“Your DOM”? I am sorry, but once your code leaves your server, it is no longer “your DOM” but the “user’s DOM” and they can screw with it as they please.

Comment by GreyWyvern

Maybe you’re right. I haven’t disabled GreaseMonkey on this site. I coded around the linkify changes instead. But there is an issue here I feel. It looks like we are entering an era of scripting and web applications. It might mean that those applications might have to be coded a lot more defensively or at least carry a warning about user scripting.

  • Comment by: -dean
  • Posted:

There are two groups who needs “warnings”:

First, it’s site authors: They need to code with accessible, rich, semantic markup. Meaning: minimize the need for user scripting to route around real problems.

But, it’s also for user script authors: They will need to be defensive about their scripting: Don’t mess with documents that have already done what your user script does.

  • Comment by: Arve
  • Posted:

In light of the above comments. I provide this as an alternative way of disabling GreaseMonkey:

 document._createElement = document.createElement;
 document.createElement = function(tagName, password) {
    if (tagName == "SCRIPT" && password != "My scripts are OK!") {
        if (!confirm("Some GreaseMonkey user scripts can adversely affect the display of this page.\n" +
            "Do you want to allow user scripts on this page?")) return;
    }
    return document._createElement(tagName);
 };
  • Comment by: -dean
  • Posted:

Grease-blockers Grease-blockers: Dean Edwards twists the “blocker” theme upside-down with his article “How To Disable GreaseMonkey On Your Web Site”. (For Greasemonkey background, see CNET.) Usually site visitors block things they don’t like from site creators, l…

  • Trackback by: JD on MX
  • Posted:

Next thing you know, they’re going to give the user the option to disable javaScript all together and then we’ll all be screwed.

  • Comment by: Gill
  • Posted:

[...] ing on your right as a web developer, have no fear, Dean Edwards has come up with a way to disable it. You can even join the huge debate on his comments section. [...]

A confirm box? You’re lucky if somebody like me has JavaScript turned on when they visit your site, it won’t be on much longer if you throw confirm boxes in their faces.

  • Comment by: Tom
  • Posted:

You’re lucky if somebody like me has JavaScript turned on when they visit your site…

Isn’t that a little bit like visiting csszengarden with CSS turned off? All of my work is JavaScript or JavaScript related.

  • Comment by: -dean
  • Posted:

Today’s Jots posts How To Disable GreaseMonkey On Your Web Site Tags: greasemonkey

‘The trouble was, that one of the default GreaseMonkey user scripts (linkify) was altering the DOM before my script got there. The DOM my script was expecting to see wasn’t the DOM it got. GreaseMonkey can break DOM scripting’

okay. In what way was the Dom changed?

  • Comment by: bryan
  • Posted:

linkify identifies text that looks like a link and wraps it with an <a> tag.

  • Comment by: -dean
  • Posted:

Heh, extensions don’t need to create an element to edit your page, so I’ll bet GM just comes out with a way to disable your disabler. =D

All it has to do is point document.createElement back to document._createElement.

I really don’t think you should be putting this disabler out there though. It’s not GM’s fault that somebody wrote a bad script. If you want to write something helpful you should create one that blocks certain grease monkey scripts, instead of all of them.

  • Comment by: Gerry
  • Posted:

LOL, the only people using “features” like this are people like us (well, not me) – that is, web developers. It’s like worrying about errant conditional comments for folks with standalone IE browsers installed. It’s just not an issue in the real world. It’s only an issue in the closed gene pool of web developers :-)

  • Comment by: Al Sparber
  • Posted:

Sort of, Al. We’ve got a lot of scripts, and there’s been a good bit of buzz.

If there is a user script that does something useful, Aunt Tilly will install it, even if it means asking her geeky nephew to help her out. As an example, several non-techie friends who are using Firefox have asked me to help them out with features like SessionSaver and AdBlocker. Extensions are gaining some mindshare, and I bet user scripts do to.

Thanks for starting this conversation on a reasonable note, Dean. I posted a pointer over on greaseblog.

It is, literally, impossible to “disable” Greasemonkey. (by a site owner using Javascript installed on their site) You can mess with its ability to perform certain actions, but then those can always be worked around, which you can then work around, which can then be worked around……. Talk about a barrel full of monkeys. It’s pretty funny that people are freaking out about Gm scripts “messing with their site”. Especially when we didn’t hear that about Firefox extensions and/or Javascript Bookmarklets. (afaik) I find this all very odd, as well as humorous, and interesting while I’m at it. As a web site developer, designer, programmer, implementer, and so on, I could care less what people (legally) do with “my (published) content” once it arrives on their client. And, in fact, I don’t really want to know. Talk about a fascinating exercise in human sociology and psychology engineering and observation. And then one day “this” will all blow over and people will roll their eyes in a smiling manner whenever someone thinks to mention it. Until then, sit back and enjoy the show. Until “next time”.

Bill-

You’re absolutely correct. The Serenity Prayer (or a secular counterpart) should be required for all web developers.

  • Comment by: Al Sparber
  • Posted:

Heh, well this disabler isn’t going to work for long. About two posts after the one where I listed this disabler on the Grease monkey mailing list one of the developers posted this:

“I found (well, someone at work found) a way for us to inject even earlier — into the actual source code before the browser gets it. That will be next change and should fix this DOMContentLoaded stuff.”

BTW, this posting script really needs to be updated so that people can add + modifiers to their email addresses.

  • Comment by: Gerry
  • Posted:

Keep in mind that people aren’t so much freaking out in a “OMG they are messing with my content!”, they’re getting concerned that user-scripting will cause the site not to function correctly. If user-scripting becomes popular, then you’ll have a potentially significant number of people visit your site, find it doesn’t work correctly and assume it’s the developer’s fault.

There’s only so much a site developer can do in terms of defensive scripting, client-side extensions/scripting can do all sorts to the page and trying to account for all possibilities is akin to trying to solve the halting problem. Whilst I’m firmly in the “give the user control” camp, there’s got to be some give and take.

in this case, i’d say the onus is on the user. if they install greasemonkey and then experience problems on a site, it’s their problem (and, in a broader sense, greasemonkey’s developers’ responsibility to fix it). however, i know that’s a very idealistic view on the subject, which doesn’t solve the immediate problem of users coming across what they think is a “broken” site (then again, considering that greasemonkey is not an extension that joe average would install, maybe it’s not such a huge problem…not sure).

OK. I’m closing comments on this one.

User scripts are the shape of things to come. Let’s continue this debate somewhere suitable:

http://greaseblog.blogspot.com/2005/03/user-script-arms-race-has-begun.html

  • Comment by: -dean
  • Posted:

[...] utilizado para desactivar la publicidad de los sitios web. Es por esto que Dean Edwards ha publicado una forma sencilla de impedir su ejecución con un simple JavaScript que podeis ver [...]

Greasemonkey escalation Greasemonkey escalation: Lots of activity around this Firefox extension, which can accept specific scripts, to make specific modifications to specific sites. A parallel for IE/Win has been created, then abandoned, but may spring up again. There is at l…

  • Trackback by: JD on MX
  • Posted:

Heard Here First As predicted: The user script arms race has begun! BTW: Am I stupid? Does the Greasemonkey blog have no RSS feed? No trackbacks? Someone set me straight here, please. I wanna subscribe. Update: Yep, I’m stupid. Thanks, Stephen, for confirming th…

[...] med script för att hindra ens besökare från att använda Greasemonkey dök upp. Men om man t& [...]

[...] that disables Grease Monkey on any website that includes the code. The battle has begun! Read More This entry was posted on Wednesday, May 18th, [...]

Disable Greasemonkey How To Disable GreaseMonkey On Your Web Site by Dean Edwards. As well as really valid reasons to do so….

  • Trackback by: Link-Fu
  • Posted:

[...] Compare Star Wars to Bush Administration Disabling Greasemonkey Link This entry was posted on Wednesday, May 18th, 2005 [...]

[...] s. Those revisions confused the page’s own Java script enough to break things. His work around is clever; though it’s just the start of a arms race. He change’s the [...]

[...] n Your Web Site Posted by Administrator under Technology  Source: dean.edwards.name Linkified   Leave a Reply Name (requir [...]

[...] websites. Unfortunately, I’m sure advertisers will figure this out soon as well. read more For those of you that dont know what GreaseMonkey is, it’s a way to add DHTM [...]

[...] Friday May 20, 2005 How To Disable GreaseMonkey How to disable GreaseMonkey on your web site. Written by Scott at 0 [...]

[...] bmasters o propietarios de sitios web. No en balde, ya hay quien ha creado un código para impedir que Greasemonkey modifique el sitio web. FUENTE: Consumer.es [...]

Waan en werkelijkheid met Greasemonkey Gevaarlijk (maar oh zo prachtig), die GreaseMonkey-extensie voor Firefox. O’Reilly-blogger Rael kon zijn eigen werkelijkheid niet meer onderscheiden van ‘de echte’ werkelijkheid, schrijft Jeremy Dunck op Greasemonkeys weblog: “(…) Rael made a pre…

[...] key scripts are showing up to set default prefs on the edit screens! …Something that I read the other day on a site detailing steps to disable Greasemonkey really clued [...]

[...] -Greasemonkey, but man… things are sure going to get ugly. The arms race is already beginning. Leave a Comment: Na [...]

Greasemonkey == Not anymore? I noticed in the latest number of a Swedish IT magazine called Internetworld that they have a list of top 10 applications to use in Firefox.

[...] g/toogle/” title=”http://c6.org/toogle/”>Toogle Image Search — How To Disable GreaseMonkey On You [...]

[...] you trust me not to flood you with spam or other ads is important. Dean Edwards recently wrote a script to disale Greasemonkey. …GreaseMonkey broke my site. I didn’t realise [...]

CSS, Web/Print Design, Freelancing Link Dump Just a pile of links that I’m dumping here, primarily for my future reference, but they might come in handy to somebody here. CSS Cheat Sheet Jello CSS Layouts Tips…

Links curiosos, Vol. 17 Aquí les va el décimo séptimo volúmen de Links curiosos de los últimos días: * Aglarond Blog: Star Wars vs Titanic * iPodizate: sí, un weblog sobre iPods * netadblog: publicidad censurada a MTV. * Sólo para geeks: Como deshabilitar Greasemonkey en

  • Trackback by: andufo.net
  • Posted:

[...] the “GreaseMonkey Conundrum”: Who really owns web layout? Many websites are preventing GreaseMonkey-enabled browsers from accessing their pages in order to keep control o [...]

[...] isage. This could have a commercial and technical angle if their use becomes wide-spread. For me the wider their use becomes the bette [...]

Making the Web your way with Greasemonkey Greasemonkey lets you run scripts when you visit a web site. Using a DHTML script stored on your computer it can change how a web site looks or functions to fit your preferences. Think of it as configuring a web site to your needs. There are lots of us…

[...] Pour commencer, voici quelques url qui peuvent être utiles pour faire des user scripts avec Greasemonkey : - « Writing User Scripts », explication rapide sur la création de scripts Greasemonkey, - « Gecko DOM Reference » - Une liste de User scripts alimentée par un wiki, - Le site UserScripts qui veut proposer un outil plus poussé pour catégoriser les différents scripts. - Une présentation en français sur le site du Journal du net dans la section développeurs. À noter : Les utilisateurs d’Internet Explorer peuvent aussi utiliser les user scripts l’aide de l’extension turnabout. La version 8 du navigateur Opera semble aussi pourvoir supporter les scripts utilisateurs. À noter encore : Utiliser GreaseMonkey peut causer quelques soucis avec les pages utilisant déj du javascript, voir ce témoignage [1]. [...]

[...] habe ich das hier gefunden: Dean Edwards: How To Disable GreaseMonkey On Your Web Site Wei nicht, ob das heutzutage noch so funktioniert oder ob sich Greasemonkey anders in die Seite [...]

[...] dettagli della procedura (che però non funziona sempre) possono essere approfonditi sul sito di Dean Edwards, l’autore [...]

Comments are closed.