Greasemonkey 脚本应用在本地文件的办法

今天写了个GM脚本,想用于本地的一个html文件,发现左右折腾都无效,记得原来是可以的。后来考虑可能是版本更新导致的,遂google,发现好文:

引用自:http://www.firefox.net.cn/forum/viewtopic.php?t=31181


最近的更新中,GreaseMonkey 脚本再也不能用在本地的文件上了,也就是说,什么文本链接化、自动高亮、划词翻译等等等等的 GM脚本,对另存到本地的网页、电子书的 HTML 页面、甚至 Scrapbook 保存下来的网摘等等等等都无效了。


经过一轮“翻山越岭做好汉”,我终于找到了讨论此问题的几乎唯一的帖子:

引用:
On Wed, Dec 30, 2009 at 1:00 AM, Matt Sargent <matt.sarg...@earthlink.net wrote:

Until a recent release, Greasemonkey could run on locally stored HTML pages. This was very handy, especially when combined with the Scrapbook add-on. Does anyone know of a way to restore this behavior to a script?
>>>
On 12/29/2009 7:06 PM, esquifit wrote:
Since a couple of releases there are two new 'hidden' preferences:

greasemonkey.aboutIsGreaseable
greasemonkey.fileIsGreaseable

The default value is "false". If you want Greasemonkey to run on file:/// urls, you have to set the second one to "true" (in about:config).
>>>
On Fri, Jan 1, 2010 at 7:49 AM, Matt Sargent <matt.sarg...@earthlink.net wrote:
THANK YOU!! This was exactly what I was looking for. It works perfectly.

也就是说,把 about:config 里面“greasemonkey.fileIsGreaseable”值改为“true”就可以让 GM脚本 对本地文件生效了。
但是:
引用:
esquifit
Fri, 01 Jan 2010 02:39:49 -0800

Glad to know. Keep in mind, however, that this implies a security risk. A malicious userscript could open a tab or a frame, load a "file:" url from your local drive into it, read the contents and send them to any server. Even binary files could be stolen in this way, including files stored in your Firefox profile containing sensitive information (passwords, cookies, history, etc). In order to know the exact location of the profile folder the attacker could either do a recursive scan of your hard disk (directory contents can also be listed via file: urls) until it reached the profile.ini file in which all profile directories are listed, or it could open the about:cache page and read the profile from there, provided access to about: urls is granted via the "greasemonkey.aboutIsGreaseable" preference. This security risk was in fact the motivation for the new preferences, as far as I can remember. This was handled in bug #1000:

http://github.com/greasemonkey/greasemonkey/issues/closed#issue/1000

也就是说,这样做是有风险的,对于恶意的 GM脚本 来说就是开了一个盗取你的隐私的大门。
这个其实也不是解决不了的,方法就是打开上述键值之后,对于确认安全的而且需要对本地文件生效的 GM脚本,通过 GreaseMonkey 的脚本管理将“file:///*”加入到其允许规则中,对于信不过的脚本则把同样的规则加入到其除外规则中。在安装脚本的时候注意,要是有脚本的对所有网页生效(允许规则为“*”),就要在安装后马上将其允许规则修改(例如改成“http://”)或者在除外规则中加入“file:///*”以作预防。

  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值