Can a website know if I am running a userscript?

by

Yes, in theory, a site can deduce the presence of scripts in various situations.

This is not foolproof and usually is way too much trouble for the negligible “threat” to the site. (Then again, some webmasters can be obsessive-paranoids about such things. 😉 )

Some methods, depending on what the script does (in no particular order):

  1. Gaming or auction sites can monitor the timing (speed and regularity) of “bid” clicks.

  2. A site can AJAX-back the count of say, <script> nodes, looking for extras.

  3. Similarly, a site can AJAX-back any or all of the content of a page and compare that to expected values.

  4. Extra AJAX calls, or AJAX calls that don’t meet hidden requirements can be noted (and allowed to appear to succeed).

  5. If the script uses unsafeWindow in just the right (wrong) way, a page can detect that and even hijack (slightly) elevated privileges.

  6. “Clicks” that were not preceded by mouseover events can be detected. I’ve actually seen this used in the wild.

  7. A page’s javascript can often detect script-generated clicks (etc.) as being different than user generated ones. (Thanks, c69, for the reminder.)

Ultimately, the advantage is to the userscript writer, however. Any counter-measures that a webpage takes can be detected and thwarted on the user end. Even custom, required plugins or required hardware dongles can be subverted by skilled and motivated users.

More Related Contents:

  1. Simulating a mousedown, click, mouseup sequence in Tampermonkey?
  2. How to change a class CSS with a Greasemonkey/Tampermonkey script?
  3. Save images to hard disk WITHOUT prompt?
  4. How to override the alert function with a userscript?
  5. Choosing and activating the right controls on an AJAX-driven site
  6. jQuery in Greasemonkey 1.0 conflicts with websites using jQuery
  7. Run Greasemonkey script on the same page, multiple times?
  8. How to get an AJAX get-request to wait for the page to be rendered before returning a response?
  9. Removing an anonymous event listener
  10. Why is window (and unsafeWindow) not the same from a userscript as from a tag?
  11. Injecting JS functions into the page from a Greasemonkey script on Chrome
  12. How to use greasemonkey to selectively remove content from a website
  13. Userscript to wait for page to load before executing code techniques?
  14. UserScripts & Greasemonkey: calling a website’s JavaScript functions
  15. Detecting combination keypresses (Control, Alt, Shift)?
  16. How can I load a shared web worker with a user-script?
  17. How to exclude iframe in Greasemonkey or Tampermonkey?
  18. Storing user login/password input in a Greasemonkey script on install
  19. How to use GM_xmlhttpRequest in Injected Code?
  20. Clicking a button on a page using a Greasemonkey/userscript in Chrome
  21. Chrome userscript error: “Unsafe JavaScript attempt to access frame”
  22. Add a JavaScript button using Greasemonkey or Tampermonkey?
  23. How do I get Greasemonkey to click on a button that only appears after a delay?
  24. Chrome 65 blocks cross-origin . Client-side workaround to force download?
  25. Facebook “Like” button callback
  26. How to detect when facebook’s FB.init is complete
  27. How does paging in facebook javascript API work?
  28. Why doesn’t document.addEventListener(‘load’, function) work in a greasemonkey script?
  29. Facebook OAuth “Unsupported” in Chrome on iOS
  30. Empty “for” loop in Facebook ajax

Leave a Comment