Can a website know if I am running a userscript?

Question

Can, for example, Facebook.com run a version control script on my browser and find out if I am running altered HTML code with the use of a script?

Could that be done with a script that can read the HTML code in the cache and produce some kind of hash tag that is sent back to the server and compared with the code that was sent to the client?

Facebook is not static HTML, therefore, hash is useless, therefore, impossibru. — Dejan Marjanović, Dec 17 '11 at 21:48
Do you have reason to believe that Facebook is detecting your userscript? If so, why? How do you suspect this? — Brock Adams, Dec 17 '11 at 22:21
Facebook does not care about your userscript, and in fact - their frequent interface changes alone help them fight off many user-scripts, especially the ones that are not actively maintained. — c69, Dec 18 '11 at 00:35

score 31 · Accepted Answer · edited May 23 '17 at 12:00

Yes, in theory, a site can deduce the presence of scripts in various situations.

This is not foolproof and usually is way too much trouble for the negligible "threat" to the site. (Then again, some webmasters can be obsessive-paranoids about such things. ;) )

Some methods, depending on what the script does (in no particular order):

Gaming or auction sites can monitor the timing (speed and regularity) of "bid" clicks.
A site can AJAX-back the count of say, <script> nodes, looking for extras.
Similarly, a site can AJAX-back any or all of the content of a page and compare that to expected values.
Extra AJAX calls, or AJAX calls that don't meet hidden requirements can be noted (and allowed to appear to succeed).
If the script uses unsafeWindow in just the right (wrong) way, a page can detect that and even hijack (slightly) elevated privileges.
"Clicks" that were not preceded by mouseover events can be detected. I've actually seen this used in the wild.
A page's javascript can often detect script-generated clicks (etc.) as being different than user generated ones. (Thanks, c69, for the reminder.)

Ultimately, the advantage is to the userscript writer, however. Any counter-measures that a webpage takes can be detected and thwarted on the user end. Even custom, required plugins or required hardware dongles can be subverted by skilled and motivated users.

In Opera, page can now detect fake clicks (via `.isTrusted` property), probably it will be possible in other browsers soon. — c69, Dec 18 '11 at 00:33
@c69, It's [been possible in Firefox for a while](http://help.dottoro.com/ljoljvsn.php) and has limited support in IE9. — Brock Adams, Dec 18 '11 at 00:53
@MikeOrtiz, No. The userscript itself lives in a separate scope that the page cannot see -- even in `@grant none` mode. ... If the userscript creates ` — Brock Adams, Jul 20 '15 at 00:58
@MikeOrtiz, Depends. Open a new question if you need to. Be sure to include an MCVE. — Brock Adams, Jul 20 '15 at 02:54

score 6 · Answer 2 · edited Jan 13 '16 at 02:24

6

Update: The methods below are fully ineffective as of Greasemonkey 3.3.

See (Dead link) ~~How-to Detect Greasemonkey~~.

Javascript to detect if GM is installed (but not whether a script is actually running on that page):

Obsolete Option 1:

if (Components.interfaces.gmIGreasemonkeyService) {
  alert("I smell a monkey!");
}

Obsolete Option 2:

<script type="text/javascript" src="resource://greasemonkey/addons4.js"></script>
<script type="text/javascript">
if (typeof GM_addonsStartup !== "undefined") {
  alert("I smell a monkey!");
}
</script>

edited Jan 13 '16 at 02:24

Brock Adams

90,639
22
233
295

answered Dec 24 '11 at 04:43

erikvold

15,988
11
54
98

1

@Edge, no this is no longer valid, see the updated answer. – Brock Adams Jan 13 '16 at 02:25

Can a website know if I am running a userscript?

2 Answers2

Linked

Related