Since its inception, Greasy Fork has limited the use of external scripts. This is because external scripts, if left unrestricted, can make it easy to hide code that violates Greasy Fork's other rules. Script loaded from an external URL can change with no record of them changing, or can even be served up differently to different users, making users (and the site's moderators) unsure of exactly what code will be run by installing the script.
Subresource Integrity (SRI) is a security feature that enables browsers to verify that resources they fetch (for example, from a CDN) are delivered without unexpected manipulation. It works by allowing you to provide a cryptographic hash that a fetched resource must match.
Greasy Fork will now allow loading from external scripts via @resource and @require that include a subresource integrity hash defined in the format read by Tampermonkey. If Tampermonkey detects a mismatch between the hash and the content, it will refuse to load it. This offers protection against the URL's contents changing without updating the script on Greasy Fork. For authors concerned that they may forget to update the hash when they change the code, Greasy Fork will regularly check your scripts and warn you if this happens.
Note that external scripts with subresource integrity must still abide by Greasy Fork's others rules e.g. no minification/obfuscation.
For a full list of ways you can use external code in your scripts on Greasy Fork, read this doc.
Since its inception, Greasy Fork has limited the use of external scripts. This is because external scripts, if left unrestricted, can make it easy to hide code that violates Greasy Fork's other rules. Script loaded from an external URL can change with no record of them changing, or can even be served up differently to different users, making users (and the site's moderators) unsure of exactly what code will be run by installing the script.
- MDN
Greasy Fork will now allow loading from external scripts via
@resourceand@requirethat include a subresource integrity hash defined in the format read by Tampermonkey. If Tampermonkey detects a mismatch between the hash and the content, it will refuse to load it. This offers protection against the URL's contents changing without updating the script on Greasy Fork. For authors concerned that they may forget to update the hash when they change the code, Greasy Fork will regularly check your scripts and warn you if this happens.Note that external scripts with subresource integrity must still abide by Greasy Fork's others rules e.g. no minification/obfuscation.
For a full list of ways you can use external code in your scripts on Greasy Fork, read this doc.