Back in August of 2005 (almost exactly seven years ago now), Greasemonkey introduced wrappers intended to plug security holes. As a result the common pitfalls were born. Ever since then, in order to write a user script that would function properly in Greasemonkey, authors were required to either get lucky and not trip over one of these pitfalls, or get lucky and figure out that they exist -- and how to work around them.
As of today, all you have to know is "@grant none". If you specify this setting in your metadata, then none of these security wrappers are put around your script. And you aren't granted access to any of the Greasemonkey APIs that a normal page wouldn't have. Almost anything you can do in a script in the page itself should work in a "@grant none" user script. There is still a sandbox; this isolates your variable scope from the page itself. Without this it is extremely easy to break the page. In order to explicitly read/write to/from the content scope, just reference properties of the window object. (I.E. "x = 10" assigns to a variable x only in the user script's private scope. "window.x = 10" assigns to the variable x in the content page's scope, which it can see.)
The entire list of bugs handled in this release is also available via the 1.0 milestone on GitHub. A number of issues listed there only affected Greasemonkey during the development of version 1.0, so they aren't listed as changes below.
As always, if you notice problems, it's best to log an issue at GitHub or let us know at the greasemonkey-dev mailing list (and be clear that your issues are with this version).
Enhancements since Greasemonkey 0.9.x:
- The toolbar button is colorful (in the enabled state) on Mac OS X. (#1597)
- The metadata @unwrap has been removed, as being unwrapped is now the default. The wrapper will still be applied to scripts that have a "return" statement outside of any function, but this may be removed in the future, so make sure your scripts (and requires) don't do this; authors may manually add an anonymous function wrapper around the script for the exact same behavior. (#1568, #1592)
- Scripts that @run-at document-start have a valid document object to modify, E.G. for adding <style> tags; but still before any part of the document is loaded. (#1565)
- GM_xmlhttpRequest() accepts a timeout option. (#1561)
- GM_getResourceURL() works with a special protocol handler. (This is more efficient/faster than the data: URI encoding used previously.) For example, specify images and styles with URLs to your @resources.
- The standard Firefox web developer console works for console.log() et al. (#1564)
- Automatic updates work correctly with scripts installed from userscripts.org (but still note the require secure updates setting). (#1555)
- Require at least Firefox 14.0 (no more Firefox 3 compatibility). (#1426, #1522)
- Error reporting is much more consistent and obvious than in the past. (#1404, #1592)
- The alert() workaround (see http://bugzil.la/647727) is not applied for Firefox versions that do not exhibit this bug. (#1318, #1350)
- When downloading a script not encoded in UTF-8, display an error message to the user (rather than just failing). (#1588)
- The "show script" button in the install dialog is disabled until the download of the script file is complete. (#1586)
- Scripts with missing or broken "==UserScript==" metadata will work. (#1562)