Tuesday, June 17, 2014

Greasemonkey 2.0 Release

The entire list of bugs handled in this release is also available via the 2.0 milestone on GitHub. Note that as always it takes some time for Mozilla to review the new version.  If you're interested in staying on the bleeding edge, try installing the development channel beta release.  If you are using this version and notice problems, it's best to log an issue or let us know at greasemonkey-dev (and be clear that it's with this version).

Backwards incompatible changes:
  • For stability, reliability, and security the privileged sandbox has been updated to match the new changes to unsafeWindow for the Add-on SDKIn order to write values to unsafeWindow you will need to use the new methods cloneInto(), exportFunction(), and/or createObjectIn().
  • The @grant none mode is now the default, and grants will no longer be implied when not explicitly provided.  See the post Sandbox API Changes in Greasemonkey 2.0 for more detail.
If your script already specifies @grant none, these changes will not affect you.  If your script does not interact with unsafeWindow, these changes will not affect you.

Otherwise, these changes will break some scripts.  These scripts will need to be updated to work correctly again.  We don't take breaking changes lightly.  It's been just under two years since version 1.0 when we last introduced major changes, and it these particular changes are both important and valuable in the long run.

Enhancements:
  • Greasemonkey will only use explicit @grant metadata, it will no longer sniff for implicitly used APIs. (This change takes effect at install time.  Currently installed scripts will continue to function as normal until they are updated/edited/reinstalled.) (#1908)
  • GM_addStyle() now returns the created element. (#1892)
  • Update checks will attempt to read a .meta.js file for scripts installed from any site on the internet.  (#1885)
  • Remove all references to the now defunct userscripts.org website. (#1884)
  • Privileged scripts' event listeners will run, even when content JavaScript is disabled. (#1882)
  • Turn on Firefox Sync support by default. (#1857)
  • GM_xmlhttpRequest() can set the resposeType parameter on the request. (#1834)
Fixed bugs:
  • A rare NS_ERROR_MALFORMED_URI error when running certain scripts has been resolved.  (#1930)
  • Fixed a bug when parsing @match rules which could destroy configuration state. (#1912)
  • A bug fix for the @match metadata, to correctly match bare domain names. (#1899)
  • The database where persistent values are stored correctly vacuums its unused space. (#1879)
  • A relative @require URL will now work correctly. (#1874)
  • The options window will flex to fit on small (or large) screens. (#1871)
  • Greasemonkey's integration with Firefox Sync should no longer cause unnecessary prompts when a master password is set. (#1852, #1870)

Sandbox API Changes in Greasemonkey 2.0

Since version 1.0 in August 2012, Greasemonkey has supported two modes: the legacy mode with privileged APIs available to the script, and a newer unprivileged mode.

When version 1.0 was initially released, this new unprivileged mode was not the default.  In fact, a script was required to explicitly opt in to this new behavior, by specifying @grant none, or opt out by  requesting access to any privileged API.  At that time, Greasemonkey would detect API usage by scripts that requested no @grant one way or the other, automatically applying what it considered the right values.  This was intended to make the migration from the legacy execution model to the new model smooth.

Today, many if not most or all scripts correctly request the APIs they need with @grant.  So as of version 2.0, Greasemonkey now defaults to @grant none.  It does not detect used-but-not-specified APIs, and an absence of all @grant lines means it will assume none.