This article briefly introduces my insights on the fields of "oil monkey scripts" and "tampering with monkeys". The content is destined to be impossible to be in place in one step and in every detail. All the kind and kind people are welcome to criticize and correct me and put forward opinions and suggestions.In addition, please be sure to indicate the author before reprinting, otherwise it will be deemed to be infringed..
- There are three things in the browser: plugins, extensions and scripts, among which,
The plug-in has the greatest permissions and is not subject to browser constraints. It can read and write local files. It can be regarded as the same level as ordinary software (such as qq, browser), such as the flash player plug-in that was widely built in the past.
Extended permissions are secondly software installed in the browser, such as Oil Monkey and Adblock. Extensions need to start from the requirements of the browser, and permissions will be subject to some constraints by the browser. The same extension may change greatly on different browsers.
The script permissions are the lowest because they are restricted by various security policies (such as same-original policies, local file read and write policies, clipboard security policies, etc.). Usually, you can only do some harmless things under the same-original page. - The most common so-called "oil monkey extension" on the Internet, in most cases, refers to Tampermonkey (tampermonkey). Greasemonkey is the ancestor of tampermonkey. Tampermonkey can be regarded as an upgraded version of oil monkey. Oil monkey was written by an American Google engineer in boredom, while the tampermonkey author is from Germany. There are also some extensions of similar functions, such as domestic violent monkeys and script cats... In addition,It is a script hosting website (collectively known as Oil Fork). I think it is also the most influential website in the script hosting field. Unfortunately, it was blocked after the Spring Festival in 2025.It's an adult version.
- Why can't the oil monkey be used?
The Internet industry is changing with each passing day, with updates and iterations quickly, and web pages are also changing dynamically at all times. The scripts written yesterday that are suitable for this web page may fail tomorrow. If you want to offset this change, you must invest in frequent maintenance, which is not a small task. - For the problem of low script permissions mentioned in 1, Tampering Monkey actually provides some operations to bypass security policies, such as
GM_xmlhttpRequestYou can avoid the same-origin policy; for example, in the settings, you can select "Allow scripts to read local files" (the Chrome browser has it, but Firefox does not allow it), so you can use it@requireContains local js resources; for example, by modifying the content security policy (CSP) header information options, some web pages can be bypassed security restrictions, etc. In short, as an extension, the permissions at some extension levels are generously delegated to the script. In addition, all specific operation details depend on the version of the tampered monkey (there are two versions of the tampered monkey, the black stable version and the red development version) and the version number. In addition, browse the official website update log (the official website of the tampered monkey:) and making good use of online search can better understand this field - If the script works incorrectly, the script will not work. Tampering monkeys have the following functions in the metadata area
// @run-at document-start The moment before the web page loading starts is the earliest opportunity. When <html> first appears, the opportunity is not easy to control and is not suitable for novice
// @run-at document-end The web page loading is basically completed. Local content such as pictures, videos, etc. have not yet been loaded. When the <body> first appears, it can be regarded as triggering the DocumentContentLoaded event
// @run-at document-idle The web page loading is completed, which is also the default time. If the script does not mention the loading time, the default is this, which can be regarded as triggering the load event
// @run-at context-menu Right-click the menu bar of the web page, click to execute the scriptOf course, the above are just a few basic APIs provided by ™, and the actual situation will be more complicated. For example, many web pages use Ajax technology to flexibly delay the web page loading process, such as B-site video loading, Baidu search page replacement, etc. When encountering the above situations, you need to think about the adaptive timing matching ideas, or use simple delay functions such as setTimeout and setInterval, or handwriting event listeners, MutationObserver, etc. to make callbacks to changes.
6. Scope is also the top priority for scripts. If the scope is incorrect, the script will also become a decoration. The tampered monkey has the following scopes in the metadata area:
// @include * Match all URLs, you can use regular expressions, and this syntax is being phased out
// @exclude * Exclude all URLs, you can use regular expressions
// @exclude http*:///*
// @match *://*/* To match all URLs, you can only use simple asterisk matching rules, and you cannot use regular expressions. The mainstream syntax in the future
// @match *:///*Off topic,*://*/*It means protocol://domain name/subpath. The protocol has http, https, ftp, file, moz-extension and other types. Domain names convert ip into strings that are convenient for human memory (a domain name may map multiple ips), and the subpath is the branch path under the domain name. The so-called homologous policy (CORS policy) means that as long as the protocol/domain/port number of the two URLs are inconsistent, it will be judged as cross-domain and subject to various restrictions.
7. @grantOn the one hand, the tampered monkey seems to be providing two different APIs, if the value is saved, there isGM_setValueandThe difference between the two APIs is that the latter adoptsPromiseImplement asynchronous operations. (I am very dissatisfied with the value-saving API, which is to return itundefinedInstead of setting the latest value), the same applies to other APIs, such asGM_getValueand,GM_xmlHttpRequestand...Async operations are also the mainstream in the future. In addition,GM_info/It is the only API that can be used without authorization; only use @ in the metadata areagrantDeclarednoneCan you call any other APIunsafeWindow.In addition, the authorization API for the tab page has,,, I know very little about this, welcome to communicate and learn.