Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

grant unsafeWindow 后 window scope 问题 #273

Closed
WindRunnerMax opened this issue Apr 28, 2024 · 9 comments
Closed

grant unsafeWindow 后 window scope 问题 #273

WindRunnerMax opened this issue Apr 28, 2024 · 9 comments
Labels
bug Something isn't working

Comments

@WindRunnerMax
Copy link
Contributor

grant unsafeWindow后,即使使用window也可以访问inject页面本身的window对象,与油🐒脚本管理器的表现不一致,不知是否符合预期。

// ==UserScript==
// @name         New Userscript
// @namespace    https://bbs.tampermonkey.net.cn/
// @version      0.1.0
// @description  try to take over the world!
// @author       You
// @match        https://quilljs.com/playground/snow
// @grant        unsafeWindow
// ==/UserScript==

(function() {
    'use strict';
    console.log(window === unsafeWindow);
    console.log("window", "------", window.Quill)
    console.log("unsafeWindow", "------", unsafeWindow.Quill)
    // Your code here...
})();

加入脚本后访问https://quilljs.com/playground/snow,即使window已经是被代理而非原始window,但仍可以发现在window上也可以访问到Quill对象。

image
@CodFrm
Copy link
Member

CodFrm commented Apr 28, 2024

看起来是不符合预期的,沙盒模式下,不应该能通过window访问到Quill

@CodFrm CodFrm added the bug Something isn't working label Apr 28, 2024
@CodFrm
Copy link
Member

CodFrm commented Apr 29, 2024

刚刚试了一下,3个脚本管理器表示都不一样,不过我认为从设计上来说,tm的表现形式应该是正确的 (vm加上setTimeout后正确,难道是vm执行太快了?)

image

@WindRunnerMax
Copy link
Contributor Author

我感觉严格上来说,第二个表现应该是比较正确?

@CodFrm
Copy link
Member

CodFrm commented Apr 29, 2024

是的,第二个是tampermonkey

@CodFrm
Copy link
Member

CodFrm commented Apr 29, 2024

我不带window访问也可以获取到,期望应该是获取不到的🤯

    console.log("tm Quill", Quill)
    console.log("tm window", "------", window.Quill)
    console.log("tm unsafeWindow", "------", unsafeWindow.Quill)
    console.log("tm onload", window.onload, unsafeWindow.onload)

@WindRunnerMax
Copy link
Contributor Author

funny

CodFrm added a commit that referenced this issue Apr 29, 2024
@CodFrm
Copy link
Member

CodFrm commented Apr 29, 2024

处理了,目前的表现形式与tm一致了,哥哥可以试试这个版本:https://github.com/scriptscat/scriptcat/actions/runs/8873074186

但是不知道会不会对其它内容产生影响,单元测试是通过了(

@WindRunnerMax
Copy link
Contributor Author

ggnb

@CodFrm
Copy link
Member

CodFrm commented Apr 29, 2024

@CodFrm CodFrm closed this as completed Apr 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants