Ad

How To Remotely Enable/Disable A Tampermonkey Script For Other Users

- 1 answer

I have created a tampermonkey script and I would like to share it to a friend. Is there any way to disable it remotely and make it non functional so he can no longer use it?

I am thinking of something like a .txt file in my server with a specific values in it. This will serve as a token. My script will only work only if the token matches with the server. Thus, i could change the token anytime making the script non functional to my friend.

Any idea how can it be possible :) Thanks!

Ad

Answer

I am thinking of something like a .txt file in my server with a specific values in it

That's one idea - make sure your server's endpoint has Access-Control-Allow-Origin * so that it can be requested via Javascript from anywhere, and have your userscript request it, then check that it matches. But if your friend knows any Javascript at all, this will be trivially easy to bypass.

I think a better method would be keep the main source code only on your server. This way, if the script stops working, users can't just open it up and debug. Consider having your server serve the main script content, and have the userscript execute the response:

fetch('serverEndpoint')
  .then(res => res.text())
  .then((text) => {
    eval(text);
  });

While this can accomplish your goal, it's very unsafe for users of your userscript, since now you have the ability to run arbitrary code on their machines. If I saw a userscript like this, I would mark it as untrustworthy without a second's thought.

Another method would be to encrypt your code in the userscript such that only by requesting a key from your server can it be decrypted and run. This would be safer for users, but if they can't see what the script is actually doing, they might not trust it - and if they know enough Javascript, they'll be able to peek at your server's response and decode your source code themselves.

Ad
source: stackoverflow.com
Ad