0 points

javascript - Chrome userscript fires on all pages despite @match and @include settings - Stack Overflow


dashboard

Mon Oct 19 2020 11:26:55 GMT+0000 (UTC)

Posted by @manic

There are two issues. First, a userscript header does not parse if a UTF8 BOM is present (Chromium bug 102667).

Second, when using @include versus @match in a userscript, Chrome misleadingly reports that the script can "Access your data on all websites", but this is not really true. The script will run on only those sites specified by the include statement(s).

Consider (or make) these three scripts:

UTF test, not UTF.user.js (save with ANSI encoding):

// ==UserScript==
// @name    Not UTF source file
// @match   http://www.yahoo.com/*
// ==/UserScript==
if (location.hostname != 'www.yahoo.com')
  alert ("This script should not run on "+location.hostname+"!");
 Save

UTF test, is UTF.user.js (save with UTF-8 encoding, including the BOM):

// ==UserScript==
// @name    Is UTF source file
// @match   http://www.yahoo.com/*
// ==/UserScript==
if (location.hostname != 'www.yahoo.com')
  alert ("This script should not run on "+location.hostname+"!");
 Save

Include, not match.user.js (save with ANSI encoding):

// ==UserScript==
// @name    Use include, not match
// @include http://www.yahoo.com/*
// ==/UserScript==
if (location.hostname != 'www.yahoo.com')
  alert ("This script should not run on "+location.hostname+"!");
 Save

Note that all 3 scripts are the same code. Only the @name and/or the file-format and/or @include versus @match are different.

The ANSI script, with match (UTF test, not UTF.user.js) reports these permissions:


This script operates and reports correctly, and as expected.


The UTF-8 script, with match (UTF test, is UTF.user.js) reports these permissions:


The permissions are reported incorrectly, contradicting the @match statement(s). Also note that the file-name is shown, URL-encoded, instead of the @name directive. These are both clues that something is amiss.

Worse, this script will operate on all sites. That is, you will see the alert() on all non-Yahoo pages. This is clearly a bug.


The ANSI script, with include (Include, not match.user.js) reports these permissions:


While this is a misleading report, the script will actually operate correctly. That is, it will only fire for yahoo pages.

This is due in part to how Chrome auto-converts userscripts into extensions. @match statements are translated directly into the manifest.json's matches property, while @include statements are made into include_globs values. See Match patterns and globs. The permissions report keys off the matches array.
content_copy Copy

https://stackoverflow.com/questions/16403175/chrome-userscript-fires-on-all-pages-despite-match-and-include-settings