My question is sort of two-fold. First, how the sandbox model works, how it impacts the userscript, what is accessible / seen from the webpage and userscript point of view, and if using a different sandbox model affects the page being able to notice your script being injected into the page (or not). Second, how scripts are injected into the page, and can the page detect it?
From what I can see, when you use
My understanding is, if you use
@grant unsafeWindow, your script will be isolated in its own js context, anything you do to
unsafeWindow. You will have regular access to the DOM, e.g.
document returns the regular page document rather than you needing to say
unsafeWindow.document. Obviously, any changes you make to the DOM or page js context (e.g.
unsafeWindow.foo = 'bar';) will still be detectable. The reason it is
unsafe is not because of being detected or not, but because you are able to potentially give the untrusted page access to privileged
GM_* functions in this mode, (which are not granted in regular mode, which means that
@grant GM_* for any function will isolate the js context, and you’ll lose access to the page’s js context unless you
How are scripts injected into the page? Is it possible that the webpage can notice the userscript injection (assuming the userscript modifies NOTHING on the page).
For example, if a script was injected using a
script tag, I think the page could possibly notice the script injection, even get a look at its code?
Does the sandbox model have any role in the way this happens, and make it “safer” to not be seen? For example, if the js contexts are isolated if you use
@grant unsafeWindow, then perhaps the js on the webpage can’t even see any userscript load event, making
@grant unsafeWindow fundamentally safer, UNLESS you go modifying the DOM or
unsafeWindow of course.
I’m also assuming that there’s no leak of special functions, objects, properties, etc (such as
GM_info to the webpage which would betray the existence of tampermonkey?). Neither in
@grant none mode or
@grant unsafeWindow mode (provided you didn’t leak anything to the page)
This lets me feel that
unsafeWindow is actually safer in terms of not being detected (because the js contexts are isolated), as long as you don’t go modifying anything (and especially DON’T expose privileged
GM_* functions to unsafeWindow). For example, if you used an eventListener on
@grant none mode, it may possibly be detected, but if you use it in
@grant unsafeWindow mode, it may not be detected because of the isolation? Furthermore, IF it was possible for a page to detect the userscript loading (I don’t know if this is actually possible or not), it wouldn’t know if the js contexts are isolated
In a brief summary, can a page detect either your userscript’s or tampermonkey’s existence IF you don’t betray it?
Are any of my above thoughts above incorrect in any area, and if so, how does it actually work?