User scripts have the technical ability to load and execute other scripts. This can be done in a few different ways, including:
XmlHttpRequestto download the script, then
- Adding a
- Performing an update of the script, whether performed automatically or by directing the user to perform an action.
While this is a useful feature and most script authors use this for legitimate purposes, it can also be used maliciously. One of the core principles of Greasy Fork is that the user must be able to inspect the code in a script. External scripts can bypass this principle in a number of ways: they can change without warning or history, they can serve up different code to different people, and they can be used to hide malicious code in the middle of known libraries. Even if someone were to check an external script and determine it to be legitimate, that would be no guarantee that that script always has been or always will be legitimate.
The following are the ways external code is allowed on Greasy Fork. Unless otherwise specified, all other rules for code apply to the external code.
允许使用源自 CDN 的代码。详见获准 CDN 名单。代码可以缩小，但不能混淆。
Greasy Fork 库
Scripts posted as libraries on Greasy Fork are allowed. Libraries can be created by choosing the option when creating a new script. These can additionally be set to sync from an external URL, like a GitHub repository.
Injection of scripts from the origin host
Injection of external scripts on the same domain as where they came from is allowed. If a script runs on https://example.com, and downloads https://example.com/script.js, modifies it, and injects back on https://example.com/, this would be allowed.
If https://example.com/script.js is injected onto https://differentsite.com, this would be disallowed.