Política de Greasy Fork sobre scripts externos

Greasy Fork is available in English.

Greasy Fork permits the use of external code in specific cases. Any script found to be including external code outside of what is permitted is subject to be deleted. If you find a script violating these rules, please report it.

Note that these rules only apply to external, executable code. Loading non-executable code, for example JSON or CSS, is not restricted.

Razones

User scripts have the technical ability to load and execute other scripts. This can be done in a few different ways, including:

The @require and @resource metadata keys.
XmlHttpRequest to download the script, then eval to execute.
Adding a <script> tag dynamically.
Webpack's externals option.
Performing an update of the script, whether performed automatically or by directing the user to perform an action.

While this is a useful feature and most script authors use this for legitimate purposes, it can also be used maliciously. One of the core principles of Greasy Fork is that the user must be able to inspect the code in a script. External scripts can bypass this principle in a number of ways: they can change without warning or history, they can serve up different code to different people, and they can be used to hide malicious code in the middle of known libraries. Even if someone were to check an external script and determine it to be legitimate, that would be no guarantee that that script always has been or always will be legitimate.

Se permite el código externo

The following are the ways external code is allowed on Greasy Fork. Unless otherwise specified, all other rules for code apply to the external code.

Redes de entrega de contenido (CDNs en inglés)

Code from CDNs is allowed. See a list of recognized CDNs. This code may be minified, but not obfuscated.

Scripts con sumas de comprobación de subrecurso

Use of @require and @resource with URLs with subresource integrity in the Tampermonkey format is allowed.

Bibliotecas en Greasy Fork

Los scripts publicados como bibliotecas en Greasy Fork están permitidas. Las bibliotecas pueden crearse eligiendo la opción al crear un nuevo script. Además, pueden sincronizarse desde una URL externa, como un repositorio de GitHub.

Inyección de scripts bajo el dominio original

Se permite la inyección de scripts externos en el mismo dominio del que proceden. Si un script se ejecuta en https://ejemplo.com, y descarga https://ejemplo.com/script.js, lo modifica, y lo inyecta de nuevo en https://ejemplo.com/, esto estaría permitido.

Si se inyecta https://ejemplo.com/script.js en https://sitiodiferente.com, se desautorizaría.