- Related Stories
-
Will Ajax help Google clean up?
March 17, 2005 -
Fight over 'forms' clouds future of Net applications
February 17, 2005 -
Firefox fortune hunters
November 17, 2004
That's one cautionary note making the rounds along with a popular new extension for Firefox that lets people customize Web pages they visit without the knowledge or cooperation of Web publishers. The extension, dubbed Greasemonkey, lets people run what's known as a "user script," which alters a Web page as the page is downloaded.
That capability has gained the extension an avid following of Web surfers who want to customize the sites they visit, removing design glitches and stripping sites of ads. But the extension comes with substantial security risks and could stir trouble among site owners who object to individual, custom redesigns of their pages.
What's new:
Greasemonkey, an add-on for the popular Firefox browser, lets surfers customize the sites they visit. Using the extension, one could, for example, jump directly to "printer-friendly," and ad-free, stories on news sites.
Bottom line:
The catch is that the type of scripts used to enable the customization can also be used by cyberthugs to make mischief on people's PCs. Caution, then, is advised.
"Publishers for now seem to accept that it's OK for users to make some changes," said Danny Sullivan, editor of Search Engine Watch. "I can tell my browser not to run JavaScript, for example, and that could override what the publisher wants the page to do. But people are still struggling with where the line is. Some of these things may go to court, but I think in the long run publishers...will adapt...or develop other ways to combat it."
The idea of letting Web site visitors alter pages they visit isn't new. Many pages use the World Wide Web Consortium's Cascading Style Sheets recommendation to let users do just that--adjust colors, font sizes and other style elements.
Greasemonkey goes well beyond such superficial changes. Among other things, Greasemonkey can strip out ads, a feature that's sure to prove controversial with publishers, if it crosses over to the mainstream.
Web site customization tools that give Web surfers the ability to "rip and mix" Web page elements have drawn fire in the past when publishers balked at alterations. Google, for example, got into hot water with some sites after it released a toolbar that offers Web surfers the option of inserting hyperlinks into pages through its AutoLink feature.
In 2001, Microsoft abandoned the Smart Tags feature in Windows XP, which would have linked words in a Web page to pages of Microsoft's choosing.
By manipulating the Dynamic HTML, or DHTML, of a Web page, Greasemonkey scripts can perform a host of tasks, according to the GreaseMonkey UserScripts page. They can, for example, transform story links on The New York Times site and take readers to ad-free, printable versions. They can also change Slashdot's colors and make the site "less ugly," the page says.
 | ||||
| | | ||
| Related story Google toolbar move raises online ire  Adding hyperlinks where there weren't any before is like hijacking a Web site, some critics say. | | ||
| | ||||
| | ||||
Others are designed to execute more substantial changes, such as making connections to Yahoo Mail and Gmail more secure. One, called "Butler," is meant to remove ads on Google results pages, add links to competing search sites, and remove image copy restrictions from Google Print. (CNET News.com's tests of various scripts showed that some were more successful than others at delivering promised results.)
In what could signal a trend toward user scripts, Norwegian browser maker Opera Software has picked up the idea, adding similar functionality to beta 3 of Opera 8, acknowledging Greasemonkey on its Web site.
Regardless of how Web sites react to Greasemonkey--Google wasn't immediately available for comment on the various Google-oriented Greasemonkey scripts--the extension will have to face down substantial security concerns.
The trouble with Greasemonkey and user scripts in general is that scripts can be used for both good and ill, and end users scanning
See more CNET content tagged:
Web surfer, publisher, DHTML, extension, Firefox
http://dunck.us/anabasis/archives/2005/03/19/user-scripts-spreading-to-opera/
However, Greasemonkey was developed in a vacuum. I guess the conditions were right for this to be developed, and the two projects happened to overlap. IE implementation any day now...?
It sure is the most annoying!
It's whose, not who's!
http://dunck.us/anabasis/archives/2005/03/19/user-scripts-spreading-to-opera/
However, Greasemonkey was developed in a vacuum. I guess the conditions were right for this to be developed, and the two projects happened to overlap. IE implementation any day now...?
It sure is the most annoying!
It's whose, not who's!
More comments at mozillazine.org: http://www.mozillazine.org/talkback.html?article=6274
It is an important difference over bookmarklets; it's quite possible for someone to install a user script and not think about it as they browse.
Also, I tend to think of user scripts as extensions with a stricter security model (same as regular in-page JS security model).
More comments at mozillazine.org: http://www.mozillazine.org/talkback.html?article=6274
It is an important difference over bookmarklets; it's quite possible for someone to install a user script and not think about it as they browse.
Also, I tend to think of user scripts as extensions with a stricter security model (same as regular in-page JS security model).
I see a time coming very soom when things like this will result in law suites. It happened to Google for changing sites and I suspect that large sites with the money for the lawyers will be going after people that change their web sites. After all most of these sites rely on advertising and anything that messes with that is going to get slammed with law suites.
The 26 year that made Greasemonkey as well as Opera for adding such feature to thier browser directly needs to be gone after. I hope it happens and I hope they both loose greatly.
People and companies need to respect everyone's copyrighted material.
Robert
And those people who use babelfish translation tools to view my pages in French? Well, we already know how innately evil those Frenchies are. Sue 'em all, the bastards!
I heard there are even people using Microsoft's XP offline feature to MAKE COPIES OF MY WEB PAGES ON THEIR LAPTOPS for offline reading. How dare they! *I* own the copyright to my pages, and *I* dictate who can see them, how they can see them, and what they can do with them. No more adjusting fonts, no more Flash-removal bookmarklets, it's all evil evil evil.
Why? Because, as a Webmaster, I control the horiontal, I control the vertical! You... you are nothing but a peon visitor to my fine pages, and you do not have rights.
Got a problem with that? How 'bout I send the RIAA lawyers after you? Hrumph. Because I bet you're the same sort of scoundrel that makes MIX tapes for friends (those songs were NOT meant to be heard out of order... apart from their albums). You probably bastardize the sound of songs with an EQUALIZER, too. That's *NOT* how the artists intended their music to be listened to! It's not!!!
In fact, I'm talking with stereomakers right now to get those equalizer thingamabobs taken off.
MY CONTENT! It's MY CONTENT. Did you hear me?!?!?!?!!!!!!!11111
I dog-ear pages; I rip pages out of magazines; I cut articles from newspapers. Why shouldn't I be able to do similar things with web sites (change font size, pass it through a text-to-speech program, highlight sections, translate it to my native language).
DRM is not to protect copyright; don't let anyone tell you different. DRM removed fair use rights from the consumer.
So, if you're running the user script only for personal use, you're pretty legally secure. Yes, as someone pointed out, this is part of fair use doctrine.
The only legal exception I am aware of to fair use is the DMCA's prohibition against circumventing a copy-protection mechanism--but, then, that section of that law is flawed anyway.
Yes, the content may be your property, but if you want to dictate what others do with it for personal use, you have to wrap it in copy-protection that prevents them from using it in any way you don't like. If I'm remembering the DMCA's terminology correctly, this copy-protection must be technological in nature. Sorry, a legal notice won't work; you actually have to give them something to break through first.
By the way, I'm not a lawyer--I just read the text of these laws and agreements affecting copyright for my own research.
Did you know that satire is protected fair use? If I wanted, I could copy parts of your posts just to make fun of them in a satirical way . . . Fortunately, I'm not interested in doing that. I just thought I would point that out to explain your "ownership" only entitles you, and Hollywood and the RIAA, to so much. It's the major loophole they slipped past Congress in the DMCA that gives them so much control, but as I said, you need to use copy-protection to use that loophole.
P.S. Technically, circumventing copy protection for fair use purposes is legal--Congress invalidated this, though, by making it illegal to create any tool that circumvents copy-protection. It provides no exceptions for this part of the law, assuming I'm remembering correctly. Thus, effectively, since you generally need a tool to circumvent copy-protection, even fair use becomes illegal for copy-protected works. Boy, did Hollywood and the RIAA pull the wool over Congress's eyes on that one.
. . . and copyright holders need to return that respect by respecting the fair use rights of those people and companies. Both sides need to learn respect. Hollywood and the RIAA clearly have no respect for fair use, except when it benefits them. It's obvious you don't either, and you don't deserve any copyright you own until you learn that respect.
I see a time coming very soom when things like this will result in law suites. It happened to Google for changing sites and I suspect that large sites with the money for the lawyers will be going after people that change their web sites. After all most of these sites rely on advertising and anything that messes with that is going to get slammed with law suites.
The 26 year that made Greasemonkey as well as Opera for adding such feature to thier browser directly needs to be gone after. I hope it happens and I hope they both loose greatly.
People and companies need to respect everyone's copyrighted material.
Robert
And those people who use babelfish translation tools to view my pages in French? Well, we already know how innately evil those Frenchies are. Sue 'em all, the bastards!
I heard there are even people using Microsoft's XP offline feature to MAKE COPIES OF MY WEB PAGES ON THEIR LAPTOPS for offline reading. How dare they! *I* own the copyright to my pages, and *I* dictate who can see them, how they can see them, and what they can do with them. No more adjusting fonts, no more Flash-removal bookmarklets, it's all evil evil evil.
Why? Because, as a Webmaster, I control the horiontal, I control the vertical! You... you are nothing but a peon visitor to my fine pages, and you do not have rights.
Got a problem with that? How 'bout I send the RIAA lawyers after you? Hrumph. Because I bet you're the same sort of scoundrel that makes MIX tapes for friends (those songs were NOT meant to be heard out of order... apart from their albums). You probably bastardize the sound of songs with an EQUALIZER, too. That's *NOT* how the artists intended their music to be listened to! It's not!!!
In fact, I'm talking with stereomakers right now to get those equalizer thingamabobs taken off.
MY CONTENT! It's MY CONTENT. Did you hear me?!?!?!?!!!!!!!11111
I dog-ear pages; I rip pages out of magazines; I cut articles from newspapers. Why shouldn't I be able to do similar things with web sites (change font size, pass it through a text-to-speech program, highlight sections, translate it to my native language).
DRM is not to protect copyright; don't let anyone tell you different. DRM removed fair use rights from the consumer.
So, if you're running the user script only for personal use, you're pretty legally secure. Yes, as someone pointed out, this is part of fair use doctrine.
The only legal exception I am aware of to fair use is the DMCA's prohibition against circumventing a copy-protection mechanism--but, then, that section of that law is flawed anyway.
Yes, the content may be your property, but if you want to dictate what others do with it for personal use, you have to wrap it in copy-protection that prevents them from using it in any way you don't like. If I'm remembering the DMCA's terminology correctly, this copy-protection must be technological in nature. Sorry, a legal notice won't work; you actually have to give them something to break through first.
By the way, I'm not a lawyer--I just read the text of these laws and agreements affecting copyright for my own research.
Did you know that satire is protected fair use? If I wanted, I could copy parts of your posts just to make fun of them in a satirical way . . . Fortunately, I'm not interested in doing that. I just thought I would point that out to explain your "ownership" only entitles you, and Hollywood and the RIAA, to so much. It's the major loophole they slipped past Congress in the DMCA that gives them so much control, but as I said, you need to use copy-protection to use that loophole.
P.S. Technically, circumventing copy protection for fair use purposes is legal--Congress invalidated this, though, by making it illegal to create any tool that circumvents copy-protection. It provides no exceptions for this part of the law, assuming I'm remembering correctly. Thus, effectively, since you generally need a tool to circumvent copy-protection, even fair use becomes illegal for copy-protected works. Boy, did Hollywood and the RIAA pull the wool over Congress's eyes on that one.
. . . and copyright holders need to return that respect by respecting the fair use rights of those people and companies. Both sides need to learn respect. Hollywood and the RIAA clearly have no respect for fair use, except when it benefits them. It's obvious you don't either, and you don't deserve any copyright you own until you learn that respect.
What is up with the state of investigation on this site lately. Many basic errors that would take a few minutes of research to prevent!
Anything the user uses to intentionally change the content for their own use personal use should be fine. Like I said, you can do it yourself as long as you don't spread it around or show it to someone else, but I could see a judge say that helping someone do it by providing a tool is a violation. Hopefully, it would fail on appeal.
What is up with the state of investigation on this site lately. Many basic errors that would take a few minutes of research to prevent!
Anything the user uses to intentionally change the content for their own use personal use should be fine. Like I said, you can do it yourself as long as you don't spread it around or show it to someone else, but I could see a judge say that helping someone do it by providing a tool is a violation. Hopefully, it would fail on appeal.
I have to say I really don't think there is much that companies can do via litigation to stop or kill this kind of thing. Instead capitalists will do what they always have done and adapt.
http://russ.johnsonville.net/default.aspx?Page=Blog
I have to say I really don't think there is much that companies can do via litigation to stop or kill this kind of thing. Instead capitalists will do what they always have done and adapt.
http://russ.johnsonville.net/default.aspx?Page=Blog
Just wow. Where do you come from dude?
Just wow. Where do you come from dude?
If you don't like the terms of use, then leave. People don't have a right to free information.
I mean, it also says you can't "participate in the transfer or sale of . . . any of the materials or content or our sites in whole or in part." I understand sale of, but by receiving the content by viewing the sale, aren't you participating in the transfer of the content of the site in part?
Just because something is stated in the terms of use doesn't mean it is valid or legal. Clearly, viewing the web site is legal, and I doubt C-Net Networks would counter that position. I would even say you are legally secure saving one of these documents on your hard drive for later viewing, and even changing the content, as long as you're the only one who ever sees it.
Writing a user script and using it client side thus seems to be pretty hard to attack legally to me. Spreading a user script around, however, could be problematic, depending on what it does. That would have to be tested in court.
Riiiight, because that's not inane at all, is it?
If you don't like the terms of use, then leave. People don't have a right to free information.
I mean, it also says you can't "participate in the transfer or sale of . . . any of the materials or content or our sites in whole or in part." I understand sale of, but by receiving the content by viewing the sale, aren't you participating in the transfer of the content of the site in part?
Just because something is stated in the terms of use doesn't mean it is valid or legal. Clearly, viewing the web site is legal, and I doubt C-Net Networks would counter that position. I would even say you are legally secure saving one of these documents on your hard drive for later viewing, and even changing the content, as long as you're the only one who ever sees it.
Writing a user script and using it client side thus seems to be pretty hard to attack legally to me. Spreading a user script around, however, could be problematic, depending on what it does. That would have to be tested in court.
Riiiight, because that's not inane at all, is it?
Greasemonkey allows the end user to modify a web page on the client side only, as does google. But google wants to throw in ads and whatnot that might damage the website. Like putting amazon ads on a small online bookstores page. With grease monkey the user can alter the way he views it, and I doubt a user is going to add ads to a page through greasemonkey.
And no, this is not a copyright violation. If I used it to alter websites in some way, your web site has not been touched, nor does it affect your next visitor.
Greasemonkey allows the end user to modify a web page on the client side only, as does google. But google wants to throw in ads and whatnot that might damage the website. Like putting amazon ads on a small online bookstores page. With grease monkey the user can alter the way he views it, and I doubt a user is going to add ads to a page through greasemonkey.
And no, this is not a copyright violation. If I used it to alter websites in some way, your web site has not been touched, nor does it affect your next visitor.
No I do not want your cookies, (one site I've visited had eight)
NO I DO NOT WANT TO STRAIN MY EYES to read your supersmall obscure typeface
No I do not want your ads. I know how to use
Google and I can spell Wandangle Widget just fine so the next time I need one I can get it myself
......
Oh, and by the way, and if I do use Google I don't want your search engine hijacking my request
(I had a non search item pop-up generate because the site I went to had an ad for a similar unwanted item)
If I want a right-handed widget pole the last thing I need is an ad for left handed goose oil, let alone TWO ADS
SO
until you tell me truthfully what ALL is on your site I WILL USE WHATEVER MEANS to remove unwanted material
you sound like the spammers that intentionally misspell words so the spam filters will allow it to pass, anything so your content will be viewed
WELL there is an uprising and you WILL fall along with your intrusive ads and unwanted pop-ups and impossible to read type
SURFERS OF THE WEB UNITE!!!
Robert
No I do not want your cookies, (one site I've visited had eight)
NO I DO NOT WANT TO STRAIN MY EYES to read your supersmall obscure typeface
No I do not want your ads. I know how to use
Google and I can spell Wandangle Widget just fine so the next time I need one I can get it myself
......
Oh, and by the way, and if I do use Google I don't want your search engine hijacking my request
(I had a non search item pop-up generate because the site I went to had an ad for a similar unwanted item)
If I want a right-handed widget pole the last thing I need is an ad for left handed goose oil, let alone TWO ADS
SO
until you tell me truthfully what ALL is on your site I WILL USE WHATEVER MEANS to remove unwanted material
you sound like the spammers that intentionally misspell words so the spam filters will allow it to pass, anything so your content will be viewed
WELL there is an uprising and you WILL fall along with your intrusive ads and unwanted pop-ups and impossible to read type
SURFERS OF THE WEB UNITE!!!
Robert
The article seems to be focusing on the relatively mild security risk that someone might install a malicious user script onto their own computers. This, however, is a security risk that can be controlled really well just through a little bit of common sense. I don't believe that your data could be altered in any way, since a site such as yours would, I believe, make a custom HTML page on each request to return to the browser. I think this is all Greasemonkey could affect, and thus, you are safe on your end.
- What about database-based web site? Are they vulnerable too?
- by March 28, 2005 6:39 AM PST
- What about dynamic database-based websites, rather than static HTML websites? Can the Firefox extension alter those websites as well? Are dynamic websites also vulnerable to the security issues raised by this browser extension?
- Reply to this comment
-
-
- I would doubt it . . .
- by March 28, 2005 4:10 PM PST
- Greasemonkey, as I understand it, and others have confirmed to me, only operates on the client side. The security risk seems pretty mild, thus, as it can only affect what the client sees. It can't alter anything on your server side, so it's safe.
-
-
Showing 1 of 2 pages (98 Comments)The article seems to be focusing on the relatively mild security risk that someone might install a malicious user script onto their own computers. This, however, is a security risk that can be controlled really well just through a little bit of common sense. I don't believe that your data could be altered in any way, since a site such as yours would, I believe, make a custom HTML page on each request to return to the browser. I think this is all Greasemonkey could affect, and thus, you are safe on your end.