





这不是万无一失的,通常对网站的威胁可以忽略不计。 (再一次,一些网站管理员可以是这样的事情的强迫症 - 偏执狂);))


  1. 游戏或拍卖网站可以监控出价点击的时间(速度和规律性)。

  2. 一个网站可以通过AJAX返回计数,< script> 节点,寻找附加组件。

    / li>
  3. 同样,一个网站可以AJAX回传页面的任何或所有内容,并将其与预期值进行比较。

  4. 额外的AJAX调用或不符合隐藏要求的AJAX调用可以被注意(并允许显示成功)。

  5. 如果脚本以正确(错误)的方式使用 unsafeWindow ,。

  6. 鼠标悬停事件之前没有点击可以是检测。我实际上已经看到在野外使用了这个。

  7. ,提醒。)


Can, for example, Facebook.com run a version control script on my browser and find out if I am running altered HTML code with the use of a script?

Could that be done with a script that can read the HTML code in the cache and produce some kind of hash tag that is sent back to the server and compared with the code that was sent to the client?


Yes, in theory, a site can deduce the presence of scripts in various situations.

This is not foolproof and usually is way too much trouble for the negligible "threat" to the site. (Then again, some webmasters can be obsessive-paranoids about such things. ;) )

Some methods, depending on what the script does (in no particular order):

  1. Gaming or auction sites can monitor the timing (speed and regularity) of "bid" clicks.

  2. A site can AJAX-back the count of say, <script> nodes, looking for extras.

  3. Similarly, a site can AJAX-back any or all of the content of a page and compare that to expected values.

  4. Extra AJAX calls, or AJAX calls that don't meet hidden requirements can be noted (and allowed to appear to succeed).

  5. If the script uses unsafeWindow in just the right (wrong) way, a page can detect that and even hijack (slightly) elevated privileges.

  6. "Clicks" that were not preceded by mouseover events can be detected. I've actually seen this used in the wild.

  7. A page's javascript can often detect script-generated clicks (etc.) as being different than user generated ones. (Thanks, c69, for the reminder.)

Ultimately, the advantage is to the userscript writer, however. Any counter-measures that a webpage takes can be detected and thwarted on the user end. Even custom, required plugins or required hardware dongles can be subverted by skilled and motivated users.


05-28 11:56