User scripts have the technical ability to load and execute other scripts. The
@require metadata key is the most straightforward way to accomplish this, but scripts can also, for example, use an XmlHttpRequest to download a script and then inject it into the DOM.
While this is a useful feature and most script authors use this for legitimate purposes, it can also be used maliciously. One of the core principles of Greasy Fork is that the user must be able to inspect the code in a script. External scripts can bypass this principle in a number of ways: they can change without warning or history, they can serve up different code to different people, and they can be used to hide malicious code in the middle of known libraries. Even if someone were to check an external script and determine it to be legitimate, that would be no guarantee that that script always has been or always will be legitimate.
To allow script authors to continue to use external scripts, Greasy Fork has implemented a whitelist of URL patterns that can be included with a script. This whitelist consists of script locations that:
- Are public
- Will not have their contents change frequently
- Would likely be useful to more than one script author
The current list is:
- Google Hosted Libraries on googleapis.com
- jQuery on code.jquery.com
- Greasy-Fork-hosted third party libraries on https://greasyfork.org/libraries/
- Greasy-Fork-hosted scripts (https://greasyfork.org/scripts/*.js)
- cdnjs-hosted libraries
- jsDelivr-hosted libraries
- Firebase CDN
- Baidu CDN
- 开放静态文件 CDN
- MathJax CDN
- Highcharts CDN
- Google Maps API
- Todoist Anywhere
- Microsoft Ajax CDN
- OpenUserJS libraries
- Wysibb CDN
- Google Hosted Libraries on apis.google.com
- RawGit (commit-specific URLS only)
- GitCDN (commit-specific URLS only)
- Baidu CDN
- Google-hosted libraries on www.gstatic.com
If you try to post a script that uses a
@require outside of these locations, you will not be able to save your script.
If the script you wish to include is not available on the sites above, let us know and we can find somewhere it is (or host it ourselves!).
If the script you wish to include was written by you, you can submit it as a separate entry on Greasy Fork by choosing the "Library" script type. You will then be able to include this posted library in your script.