Greasemonkey: GM 4.0 does not install scripts from GitHub (CSP/sandbox issue)
GM doesn't install scripts from raw.github.com for some reasons
https://github.com/reek/anti-adblock-killer#anti-adblock-killer--reek
Here on "Step 3: UserScript" you can test 4 mirrors of one script. only github mirror doesn't open install dialog.
Incurious
All 24 comments
There might be an issue with host permissions in this case. Content script aren't injected into top frames that are "about:blank" according to the moz docs.
badbrainz
on 25 Oct 2017
I think it's a Firefox CSP issue. Apparently, you cannot inject content scripts into pages with CSP sandbox directive. Turn off the CSP (set "security.csp.enable" to false) and try to install it. Do not forget to activate the CSP after installing.
xor10
on 25 Oct 2017
arantius
on 25 Oct 2017
Hm, currently at work and only have access to Firefox 52 ESR. Cannot reproduce, security.csp.enable is set to true, using currently released alpha 4.0 available on AMO. What version of Firefox does this fail on? Might be a regression that should be brought up to the Mozilla folks. CSP should not affect content scripts.
Sxderp
on 25 Oct 2017
Happens to me on 56 (stable) and 57 (nightly).
arantius
on 25 Oct 2017
Also reproduces: https://gist.github.com/arantius/f6fd80b1efad368a45ca35567bc31b18 (click "raw")
54 works
arantius
on 25 Oct 2017
55 also works, 56+ is broken
arantius
on 25 Oct 2017
User script installation from GitHub does work in ViolentMonkey (2.8.18) in Firefox 57. What are they doing differently?
Edit: apparently they wrote a blog post about it, which references some of these same Firefox bugs. Would that Blob URL method be feasible in GreaseMonkey?
adaugherity
on 20 Nov 2017
Not really, no. Violentmonkey directly injects scripts by creating <script> objects. Greasemonkey uses tabs.executeScript(). Both methods have their own nuances and issues.
Kinda unrelated, but this does bring up something I'm curious about. How does Violentmonkey provide for elevated API calls, like cross site XHR. As far as I know <script> elements are run in the context of the page and not a content script context, and therefore can't communicate directly with the extension?
Sxderp
on 20 Nov 2017
User script installation from GitHub does work in ViolentMonkey (2.8.18) in Firefox 57. What are they doing differently?
Tampermonkey and Violentmonkey use webRequest to detect user script installation, whereas Greasemonkey use a content script.
xor10
on 20 Nov 2017
Tampermonkey and Violentmonkey use webRequest to detect user script installation, whereas Greasemonkey use a content script.
Hm. I've got a branch that does that. Although doesn't work on 52 ESR due to the use of filterResponseData. So I can't, at the moment, check to confirm if it works.
https://github.com/sxderp/greasemonkey/tree/use-window-to-install-from-cache
Sxderp
on 20 Nov 2017
Somehow this started working for me with Firefox nightly within the past few days. I'm not sure if Firefox fixed the issue on their end or a change to Greasemonkey did it, but everything does appear to be working as I'd expect. I visit the raw version of a script on github and the greasemonkey install window opens immediately.
jasontibbitts
on 31 Jan 2018
Somehow this started working for me with Firefox nightly within the past few days.
Greasemonkey changed the way that scripts are detected. #2719
This can be closed now.
Sxderp
on 31 Jan 2018
Works fine for me! Congratulations...
Eselce
on 31 Jan 2018
Not working for me. I go to https://raw.githubusercontent.com/devunt/make-gis-great-again/master/gis-vib.user.js and it does not ask me to install a userscript. Using GM 4.2 and FF 58.0.2
ibigfire
on 17 Feb 2018
Using GM 4.2 and FF 58.0.2
Just use the newest GM 4.3 version (currently GM 4.3beta4).
It can be found as a beta version AddOn.
Eselce
on 17 Feb 2018
@Eselce it keep show User script download failed
bluelovers
on 1 Mar 2018
@bluelovers Hmm, that link just works for me (GM 4.3beta7, FF 59.0b13).
Eselce
on 1 Mar 2018
Opening the original report link, then the "Install from github.com" link works as expected in latest (4.3) beta.
arantius
on 1 Mar 2018
With GM 4.3beta7/FF 58.0.2 Mac, it does not work for me. For both the original test and for one of my gists, the installation popup does appear, but after clicking Install, it says "User script download failed".
Furthermore, on our organization's GitHub Enterprise instance, the installation popup never even appears when I browse to a user script raw view. Perhaps it isn't using my authenticated session? (Anonymous access is disabled on our GH instance.)
adaugherity
on 3 Mar 2018
For both the original test and for one of my gists ..."User script download failed".
Links please.
Furthermore, on our organization's GitHub Enterprise instance ... Perhaps it isn't using my authenticated session?
Pretty sure there's already an issue tracking this but don't have it handy.
arantius
on 3 Mar 2018
By "original test" I think he means the one in OP, https://github.com/reek/anti-adblock-killer/blob/master/anti-adblock-killer.user.js
I have the same problem here as well:
(Needless to say, the result is same if I use "Install from github.com" link in readme.md, since it's the same link.)
I'm using 59.0b14 (64-bit), though.
fireattack
on 3 Mar 2018
why not just use like Tampermonkey what they do for install, i think it is better than wait firefox fix
bluelovers
on 4 Mar 2018
This is already fixed; users above are confused. If the install window opens, this bug is fixed. If something else happens, that's a separate issue and should be reported as such.
(I _think_ the particular things reported above are also already fixed but there's no newer easy build to test with.)
arantius
on 4 Mar 2018
Related issues
Sasstraliss
·
10Comments
moham96
·
7Comments
silverwind
·
5Comments
xravian
·
8Comments
arantius
·
6Comments
Most helpful comment
Just use the newest GM 4.3 version (currently GM 4.3beta4).
It can be found as a beta version AddOn.