Discussions » Greasy Fork Feedback
import/include/require scripts from the site which script actived
I don't think this is allowed right now: https://greasyfork.org/help/external-scripts
But if stripping the domain from the @include or @match is easily done, I like it.
It does bring some extra security issues. One issue is when sub-domains are maintained not by the main domain developers. Github for example main domain is maintained by Github, but the sub-domains can be maintained by anyone who makes a sub-domain.
So, any suggestions of workaround?
There are multiple ways to workaround, but you have to found them out yourself.
One solutions I can suggest is to upload the script as library if that fits and is allowed by the original author.
Actually, why I'm caring about this issue is that one of my script need loading extern script from the site it actived.
https://greasyfork.org/scripts/429-replace-bilibili-bofqi
For example, when user visit
http://www.bilibili.tv/video/av1116683/
(It's a 404 page without this script)
This script will generate the main body of the page.
While it inserted some script tags to the head like
<script src="http://static.hdslb.com/js/page.arc.js">
As this external script can be found in the source code of other video pages, like
http://www.bilibili.tv/video/av314/
I need these scripts to make this page works fine.
And I cannot know when or how the site will modify it.
So I cannot host these scripts on other servers.
Should I contact admin/mod or should I just delete this script here?
p.s. bilibili.tv may redirect to bilibili.kankanews.com without login.
In principle, I have no problem with a script including a script from the site it's affecting, but there are practical issues:
-As jerone noted, for a site like GitHub this would not be secure
-If the site uses a different domain for its static content, how would we know the two domains are connected?
-What about scripts that affect multiple domains?
I think the easiest solution here would be to add static.hdslb.com to the whitelist. It may be sustainable to do it on a one-by-one basis if this is an uncommon situation.
So, do we have a whitelist per script?
Users who use bilibili.tv may accept scripts from static.hdslb.com since they regard these scripts are safe. But users who don't use this site may worry about the security of this script since it's obfuscated and it isn't a well-known public script host.
I know it's hard to determine which script is harmless and which script is not. So should I just contact admin/mod to review the using if needed? Should scriptwriter claim these cases clearly when uploading his/her script?
I don't understand why you want to use @require?
Your code already contains a solution for including a javascript file...
There's no whitelist per script right now.
It's not really a matter of if a host is known to any particular user, but rather if we're reasonably confident that that host does not and will not have malware on it. When I go to http://static.hdslb.com/ I see "CDN". I guess my question would be is this a third-party public CDN, or is it something just bilibili uses, or is it something where anyone can upload whatever they like.
This is Chinese, so maybe @JixunMoe has an idea.
I don't understand why you want to use@require?
Your code already contains a solution for including a javascript file...
New version of rules not only mentioned the "require" form external script, but also talked about adding script tags to the web page.
As far as I known, hdslb.com is used by bilibili.tv/bilibili.kankanews.com/bilibili.com (哔哩哔哩) and some related sites including drawyoo.com (画友), corari.com/hdslb.com (协作乡, seems the website is not working), and 9ch.co (第九频道).
Users of these sites may upload avatar or cover picture of video to this site.
Users of bilibili may upload stylesheet to space.bilibili.tv. and the css was filtered by some keywords such as "expression".
But does not include scripts, as far as I know.
I've added static.hdslb.com to the whitelist. If you update your script it should go through now.
Maybe what i said is not clearly,
I means that currently I am adding these scripts tags to the web page.
And I think it may violate the rules of external scripts.
So i ask for help if i can do this or is there any warkaround.
But acturally, I do not need to @require it.
So it's not the issue about the auto-checker.
--
(果然渣英语会让别人理解错……)
可能我之前没说清楚。
我现在的脚本是要将这些script加到网页中去。
因为我觉得这可能违反了网站中关于外部脚本的相关规定,
所以来这里问一下是不是可以或者有什么解决办法。
但是我并不需要直接@require这些脚本。
换句话说,我并不需要自动检查的程序识别这个域名。
Right, if you want to include an external script but not through @require, it's fine as long as the script is in the whitelist and you're not trying to hide what you're doing.
I just considered that it may be not appropriate to add this website to the whitelist.
Since it is not a site for hosting libraries. And it may not be used with other scripts here. And I also have no idea about if it would change frequently.
If there is a script like this// @include http://*bilibili.tv*
// @require http://static.hdslb.com/js/page.arc.js
I think it should be ok, in my opinion.
But if there is a script with// @include http://*facebook.com*
// @require http://static.hdslb.com/js/page.arc.js
I also think is unacceptable.
So, I don't think it is a good idea adding this domain to the whitelist.
I don't think that's unacceptable. It may be senseless or pointless depending on the script, but it's not a security issue as far as I can see.
Static.hdslb.com is a private cdn for bilibili users.
The site (bilibili) apply restrictions to nonmembers by return a 404 message, thus necessary dependencies not loaded.
The user script mentioned above will try to manipulate some info and then inject site dependencies to bypass those restrictions.
So, the point @ts try to make is, we should be allowed to execute external script that belongs to the website no matter if is white listed.
IMO, this really depends on the script author, whom to make this clear in their description, specify the use and where the external link can be found. Moreover, this will help us moderators to judge whether or not the script legit.
import/include/require scripts from the site which script actived
I just noticed that our rules about external scripts have had some changing.
And I need to confirm if it's ok to use scripts from site which the script works on?
I'm not sure if it's allowed that loading scripts from the site which script actived.
For example, I have a script which will act on example.com
// @include http://*.example.com/*so, can I do like this:
// @require http://example.com/js/xzy.jsalso, if example.com use example.org as its CDN, can I
// @require http://example.org/js/xyz.jsSince scripts hosted by origen site is useful and I hardly know when and how it changes.
----
渣英语,我还是把我想说的再复述一遍吧。
我刚才发现关于外部脚本的规则有一些修改。
然后我现在的问题可不可以是引入那些本来就是用户访问的那个网站上的脚本。
比如说我的脚本
// @include http://*.example.com/*那我可不可以
// @require http://example.com/js/xzy.js甚至如果example.com用example.org作为静态缓存服务器,那我可不可以
// @require http://example.org/js/xyz.js因为我完全没法控制这些脚本的更新,但是这些脚本对我的功能是有必要的。