Firefox add-on lets surfers tweak sites, but is it safe?

Rip, mix--get burned?

That's one cautionary note making the rounds along with a popular new extension for Firefox that lets people customize Web pages they visit without the knowledge or cooperation of Web publishers. The extension, dubbed Greasemonkey, lets people run what's known as a "user script," which alters a Web page as the page is downloaded.

That capability has gained the extension an avid following of Web surfers who want to customize the sites they visit, removing design glitches and stripping sites of ads. But the extension comes with substantial security risks and could stir trouble among site owners who object to individual, custom redesigns of their pages.

News.context

What's new:
Greasemonkey, an add-on for the popular Firefox browser, lets surfers customize the sites they visit. Using the extension, one could, for example, jump directly to "printer-friendly," and ad-free, stories on news sites.

Bottom line:
The catch is that the type of scripts used to enable the customization can also be used by cyberthugs to make mischief on people's PCs. Caution, then, is advised.

More stories on Firefox

"Publishers for now seem to accept that it's OK for users to make some changes," said Danny Sullivan, editor of Search Engine Watch. "I can tell my browser not to run JavaScript, for example, and that could override what the publisher wants the page to do. But people are still struggling with where the line is. Some of these things may go to court, but I think in the long run publishers...will adapt...or develop other ways to combat it."

The idea of letting Web site visitors alter pages they visit isn't new. Many pages use the World Wide Web Consortium's Cascading Style Sheets recommendation to let users do just that--adjust colors, font sizes and other style elements.

Greasemonkey goes well beyond such superficial changes. Among other things, Greasemonkey can strip out ads, a feature that's sure to prove controversial with publishers, if it crosses over to the mainstream.

Web site customization tools that give Web surfers the ability to "rip and mix" Web page elements have drawn fire in the past when publishers balked at alterations. Google, for example, got into hot water with some sites after it released a toolbar that offers Web surfers the option of inserting hyperlinks into pages through its AutoLink feature.

In 2001, Microsoft abandoned the Smart Tags feature in Windows XP, which would have linked words in a Web page to pages of Microsoft's choosing.

By manipulating the Dynamic HTML, or DHTML, of a Web page, Greasemonkey scripts can perform a host of tasks, according to the GreaseMonkey UserScripts page. They can, for example, transform story links on The New York Times site and take readers to ad-free, printable versions. They can also change Slashdot's colors and make the site "less ugly," the page says.

		Related story Google toolbar move raises online ire Adding hyperlinks where there weren't any before is like hijacking a Web site, some critics say.

Others are designed to execute more substantial changes, such as making connections to Yahoo Mail and Gmail more secure. One, called "Butler," is meant to remove ads on Google results pages, add links to competing search sites, and remove image copy restrictions from Google Print. (CNET News.com's tests of various scripts showed that some were more successful than others at delivering promised results.)

In what could signal a trend toward user scripts, Norwegian browser maker Opera Software has picked up the idea, adding similar functionality to beta 3 of Opera 8, acknowledging Greasemonkey on its Web site.

Regardless of how Web sites react to Greasemonkey--Google wasn't immediately available for comment on the various Google-oriented Greasemonkey scripts--the extension will have to face down substantial security concerns.

The trouble with Greasemonkey and user scripts in general is that scripts can be used for both good and ill, and end users scanning

Who's idea ?

It should look after, who's idea picked up the other! But really, the idea is very useful, primarily for Opera because of the UA sniffing.

Who's idea ?

It should look after, who's idea picked up the other! But really, the idea is very useful, primarily for Opera because of the UA sniffing.

[pcabellor]

Again, beware of FUD

Then there have also existed bookmarklets for a long time now which can also purport a security risk but since they are not targeted for end users it is not a big deal. I think same goes for this feature: it requires so much end user interaction (installing th e extension, a script and activating it) that one could expect a user that does all of this may properly select what he installs. Of course improved security is always welcomed.

More comments at mozillazine.org: http://www.mozillazine.org/talkback.html?article=6274

[pcabellor]

Again, beware of FUD

Then there have also existed bookmarklets for a long time now which can also purport a security risk but since they are not targeted for end users it is not a big deal. I think same goes for this feature: it requires so much end user interaction (installing th e extension, a script and activating it) that one could expect a user that does all of this may properly select what he installs. Of course improved security is always welcomed.

More comments at mozillazine.org: http://www.mozillazine.org/talkback.html?article=6274

Amazing how everyone ignores...

I think it is amazing how everyone ignores the fact that changing of someone else's web site no matter the reason is a copyright violation. I am beginning to see why Hollywood and the music industry are acting the way they do. No one seems to have any regards for people's property.

I see a time coming very soom when things like this will result in law suites. It happened to Google for changing sites and I suspect that large sites with the money for the lawyers will be going after people that change their web sites. After all most of these sites rely on advertising and anything that messes with that is going to get slammed with law suites.

The 26 year that made Greasemonkey as well as Opera for adding such feature to thier browser directly needs to be gone after. I hope it happens and I hope they both loose greatly.

People and companies need to respect everyone's copyrighted material.

Robert

Amazing how everyone ignores...

I think it is amazing how everyone ignores the fact that changing of someone else's web site no matter the reason is a copyright violation. I am beginning to see why Hollywood and the music industry are acting the way they do. No one seems to have any regards for people's property.

I see a time coming very soom when things like this will result in law suites. It happened to Google for changing sites and I suspect that large sites with the money for the lawyers will be going after people that change their web sites. After all most of these sites rely on advertising and anything that messes with that is going to get slammed with law suites.

The 26 year that made Greasemonkey as well as Opera for adding such feature to thier browser directly needs to be gone after. I hope it happens and I hope they both loose greatly.

People and companies need to respect everyone's copyrighted material.

Robert

[201293546946733175101343322673]

Why is adblock not even mentioned?

Why is adblock not even mentioned? It's been available for over a year now, it's bug-free, it's spyware free, and so far no malicious code has been written for it and tens of thousands of people use it. Perhaps it's because CNET is attempting to fear readers into not using legit and actual working extensions that would block a source of revenue? perhaps.

What is up with the state of investigation on this site lately. Many basic errors that would take a few minutes of research to prevent!

[201293546946733175101343322673]

Why is adblock not even mentioned?

Why is adblock not even mentioned? It's been available for over a year now, it's bug-free, it's spyware free, and so far no malicious code has been written for it and tens of thousands of people use it. Perhaps it's because CNET is attempting to fear readers into not using legit and actual working extensions that would block a source of revenue? perhaps.

What is up with the state of investigation on this site lately. Many basic errors that would take a few minutes of research to prevent!

[russ960]

What is it worth

So a new extension for Firefox called Greasemonkey allows users to change the content of pages they view them on the web. It does seem this technology differentiates itself in that the user uses a script that they control and understand what links or information has changed on the page because of this script. To me personally I have no issues with browsing the web with normal unadulterated pages as I really lack the need or desire to modify it. I still personally have issues with this technology given it seems to undermine the financial backing that allows web sites to produce revenue and thus provide services at little or no direct cost to the consumer and at the same time provide jobs and contribute to our economy. Now, one could say it does cost us when we purchase these goods and services but to that I would say your better off since you got to use that good or service. Certainly I would agree the ability to change things such as font, screen size, and other attributes that are inherently aesthetic should be allowed and are freely available. But do you really want to open up your browser to the possibility that one could attack your system so easily just so you can make aesthetic changes? I really don't think this is on par with the toolbar feature that Google had by the fact that there was a third party that was neither the reader nor the publisher making changes to the content that existed. If you don't like sites with ads I would highly recommend you stay with government, university sites that way the *icky* capitalism thing would bother you so much.

I have to say I really don't think there is much that companies can do via litigation to stop or kill this kind of thing. Instead capitalists will do what they always have done and adapt.

http://russ.johnsonville.net/default.aspx?Page=Blog

[russ960]

What is it worth

So a new extension for Firefox called Greasemonkey allows users to change the content of pages they view them on the web. It does seem this technology differentiates itself in that the user uses a script that they control and understand what links or information has changed on the page because of this script. To me personally I have no issues with browsing the web with normal unadulterated pages as I really lack the need or desire to modify it. I still personally have issues with this technology given it seems to undermine the financial backing that allows web sites to produce revenue and thus provide services at little or no direct cost to the consumer and at the same time provide jobs and contribute to our economy. Now, one could say it does cost us when we purchase these goods and services but to that I would say your better off since you got to use that good or service. Certainly I would agree the ability to change things such as font, screen size, and other attributes that are inherently aesthetic should be allowed and are freely available. But do you really want to open up your browser to the possibility that one could attack your system so easily just so you can make aesthetic changes? I really don't think this is on par with the toolbar feature that Google had by the fact that there was a third party that was neither the reader nor the publisher making changes to the content that existed. If you don't like sites with ads I would highly recommend you stay with government, university sites that way the *icky* capitalism thing would bother you so much.

I have to say I really don't think there is much that companies can do via litigation to stop or kill this kind of thing. Instead capitalists will do what they always have done and adapt.

http://russ.johnsonville.net/default.aspx?Page=Blog

[201293546946733175101343322673]

just wow

So closing my eyes during a commercial is copyright violations? how about covering my ears? What part of copyright law states that I have to view the content presented to me in the manner originally intended? You do realize that browsers all show webpages differently, and they always will. You do realize that there are built in functions of a browser to block images or not run scripting code?

Just wow. Where do you come from dude?

[201293546946733175101343322673]

just wow

So closing my eyes during a commercial is copyright violations? how about covering my ears? What part of copyright law states that I have to view the content presented to me in the manner originally intended? You do realize that browsers all show webpages differently, and they always will. You do realize that there are built in functions of a browser to block images or not run scripting code?

Just wow. Where do you come from dude?

[Chung Leong]

No one is entitled to use a web site

I suggest that you read the terms of use when you go to a web site next time. They are empty words. To quotes CNet's own, "Your use of our sites constitutes your binding acceptance of these Terms...". One of the terms that you have accepted is to not modify the contents without permission. While there are client-side alterations like font size that publishers implicitly agree to by placing their materials on the web, what Greasemonkey does is clearly not one of them.

If you don't like the terms of use, then leave. People don't have a right to free information.

[Chung Leong]

No one is entitled to use a web site

I suggest that you read the terms of use when you go to a web site next time. They are empty words. To quotes CNet's own, "Your use of our sites constitutes your binding acceptance of these Terms...". One of the terms that you have accepted is to not modify the contents without permission. While there are client-side alterations like font size that publishers implicitly agree to by placing their materials on the web, what Greasemonkey does is clearly not one of them.

If you don't like the terms of use, then leave. People don't have a right to free information.

[Bill Dautrive]

There is a huge difference

Between greasemonkey and what google wants to do. To even try and compare the two shows you have zero understanding.

Greasemonkey allows the end user to modify a web page on the client side only, as does google. But google wants to throw in ads and whatnot that might damage the website. Like putting amazon ads on a small online bookstores page. With grease monkey the user can alter the way he views it, and I doubt a user is going to add ads to a page through greasemonkey.

And no, this is not a copyright violation. If I used it to alter websites in some way, your web site has not been touched, nor does it affect your next visitor.

[Bill Dautrive]

There is a huge difference

Between greasemonkey and what google wants to do. To even try and compare the two shows you have zero understanding.

Greasemonkey allows the end user to modify a web page on the client side only, as does google. But google wants to throw in ads and whatnot that might damage the website. Like putting amazon ads on a small online bookstores page. With grease monkey the user can alter the way he views it, and I doubt a user is going to add ads to a page through greasemonkey.

And no, this is not a copyright violation. If I used it to alter websites in some way, your web site has not been touched, nor does it affect your next visitor.

[qazwiz]

ATTN: Robert Barnet

No I do not want your pop-ups that hijack my web viewing

No I do not want your cookies, (one site I've visited had eight)

NO I DO NOT WANT TO STRAIN MY EYES to read your supersmall obscure typeface

No I do not want your ads. I know how to use
Google and I can spell Wandangle Widget just fine so the next time I need one I can get it myself

......

Oh, and by the way, and if I do use Google I don't want your search engine hijacking my request
(I had a non search item pop-up generate because the site I went to had an ad for a similar unwanted item)
If I want a right-handed widget pole the last thing I need is an ad for left handed goose oil, let alone TWO ADS

SO

until you tell me truthfully what ALL is on your site I WILL USE WHATEVER MEANS to remove unwanted material

you sound like the spammers that intentionally misspell words so the spam filters will allow it to pass, anything so your content will be viewed

WELL there is an uprising and you WILL fall along with your intrusive ads and unwanted pop-ups and impossible to read type

SURFERS OF THE WEB UNITE!!!

[qazwiz]

ATTN: Robert Barnet

No I do not want your pop-ups that hijack my web viewing

No I do not want your cookies, (one site I've visited had eight)

NO I DO NOT WANT TO STRAIN MY EYES to read your supersmall obscure typeface

No I do not want your ads. I know how to use
Google and I can spell Wandangle Widget just fine so the next time I need one I can get it myself

......

Oh, and by the way, and if I do use Google I don't want your search engine hijacking my request
(I had a non search item pop-up generate because the site I went to had an ad for a similar unwanted item)
If I want a right-handed widget pole the last thing I need is an ad for left handed goose oil, let alone TWO ADS

SO

until you tell me truthfully what ALL is on your site I WILL USE WHATEVER MEANS to remove unwanted material

you sound like the spammers that intentionally misspell words so the spam filters will allow it to pass, anything so your content will be viewed

WELL there is an uprising and you WILL fall along with your intrusive ads and unwanted pop-ups and impossible to read type

SURFERS OF THE WEB UNITE!!!

What about database-based web site? Are they vulnerable too?

What about dynamic database-based websites, rather than static HTML websites? Can the Firefox extension alter those websites as well? Are dynamic websites also vulnerable to the security issues raised by this browser extension?

What about database-based web site? Are they vulnerable too?

What about dynamic database-based websites, rather than static HTML websites? Can the Firefox extension alter those websites as well? Are dynamic websites also vulnerable to the security issues raised by this browser extension?