
Chrome Killed UserScripts.org - twapi
http://browserfame.com/807/userscripts-org-chrome-disabled
======
gkoberger
Here's the issue: <https://code.google.com/p/chromium/issues/detail?id=128748>

I'm a former add-ons product manager for Firefox. I never would have
considered something this drastic (after all, Firefox is about choice, so it
wouldn't have even been an option), however fake/malicious/rogue add-ons are a
massive problem. If Chrome has a kill switch on every single add-on (and not
just the ones uploaded to their site), they can do a better job of stopping
malicious add-ons.

Add-ons can do a ton of damage, and you'd be amazed how many people click
through the install warnings without thinking.

~~~
magicalist
Yeah, this isn't a great solution, but it's been surprising the number of
Mozilla folks that have come out and said, "this may be the only real
solution". They've all said they won't be doing the same thing, but there has
sometimes been a strong suggestion of a "yet..." there.

I don't think:

a) most people realize that extension permissions are not exactly analogous to
phone permissions. When you give browser extensions even fairly standard
permissions, they can arbitrarily interact with and alter every single thing
you see and do in your browser (meanwhile phones are still somewhat protected
by their isolated app architectures). There are some mitigation strategies,
but the reality is that the only real difference between many userscripts and
a keylogger, for instance, is intent on the part of the developer. And how do
you detect that?

b) I don't think many people reacting to this change (like in this thread)
realize how many people are actively installing malware in the form of
extensions and are being screwed by them. These aren't hypothetical problems,
it is _quite_ widespread (check out the many Mozilla conversations about
this). This is the reason Mozilla has been so sympathetic to (and muted about)
Google's change here, I think.

A dropdown bar and a "are you sure?" are not sufficient. I wish Google would
do more (and the "I intend to polish this UI a bit" comment in that bug thread
should tell them exactly where they should be focusing their efforts first,
not just ignoring it for now), but browser extensions are way too dangerous
right now. Downloading the folder and dragging it in kind of sucks, but it's
really not that bad in almost all cases (I'm sympathetic to the drop in
installations you'll face if you don't want to kowtow to the chrome
webstore/mozilla addon approval process, though).

~~~
aboodman
I don't understand your 'focusing their efforts first' comment. I implemented
all the things I mentioned in that comment.

~~~
magicalist
I can't edit my post now, but I was wrong, sorry. I was basing this off the
last time I tried it, which either I have a bad memory of or was before it was
added in its current form.

I actually quite like the warning bar and the link for more info, which makes
what is happening obvious. The expando on the help page for how to install is
kind of tucked away visually, though.

There are some unfortunate side effects of this move, like the only available
installable extension source being the same vendor as the main producer of the
browser, but another source that vets chrome extensions independently of their
developers is only hypothetical at this point. Maybe someday if Mozilla and
Google agree on a standard app format....

As I said above, though, this appears to be the only actually viable solution
at this point. Glad to be wrong on the UI-front.

------
mediocregopher
_> We suggest Chrome team to follow Opera’s approach, or at least whitelist
UserScripts.org globally._

I could be wrong, but I don't think userscripts does any significant culling
of their catalog; downloading an arbitrary script from there is just as
dangerous as anywhere else. This whole thing is just silly, you have to
confirm the installation of a javascript extension. If you accept that it's
your responsibility if it turns out to be a keylogger or what have you, not
the Chrome team's. They're shooting everyone in the foot because someone might
accidentally shoot their eye out.

~~~
skybrian
It's more like adding a safety that actually works (unlike clickthrough
warnings). If you know what you're doing, you can do a search and learn how to
drag and drop. Anyone who needs handholding for this shouldn't be doing it.

------
chocolateboy
There are at least two other ways of running userscripts in Chrome, neither of
which impose this restriction:

Tampermonkey:
[https://chrome.google.com/webstore/detail/dhdgffkkebhmkfjoje...](https://chrome.google.com/webstore/detail/dhdgffkkebhmkfjojejmpbldmpobfkfo)

Blank Canvas:
[https://chrome.google.com/webstore/detail/pipnnjjknlabchljab...](https://chrome.google.com/webstore/detail/pipnnjjknlabchljabhmnpdfpdobpnkk)

~~~
vacipr
Black Canvas hasn't been updated since last year and Tampermonkey seems like a
privacy invader.

~~~
chocolateboy
> Tampermonkey seems like a privacy invader

That's a serious allegation. Care to back it up?

~~~
vacipr
This. <http://i.imm.io/E9zF.png> Seems like a lot of privileges for an
userscript managing extension.

Later edit: After a bit of searching I also found that FAQ. They should really
put that information on the chrome web store.

~~~
charliesome
> _This.<http://i.imm.io/E9zF.png> Seems like a lot of privileges for an
> userscript managing extension._

Well, no shit. How is TamperMonkey supposed to install extensions that require
more privileges than itself? It _needs_ full permissions because it allows
scripts you install full access.

~~~
vacipr
3 hours later after I did some research this reply was extremely
useful.Thanks.

------
nthitz
From the Chromium devs: "we're putting the power back in the user's hands by
allowing them to control where extensions are installed from. By default, the
Chrome Webstore is the only source, but users and administrators will be able
to add other safe sources as they see fit."

I don't know if the ability to add other sources has been implemented yet
though.

~~~
gergles
>Enterprise Administrators: You can specify URLs that are allowed to install
extensions, apps, and themes directly through the ExtensionInstallSources
policy[1].

[1]: [http://www.chromium.org/administrators/policy-
list-3#Extensi...](http://www.chromium.org/administrators/policy-
list-3#ExtensionInstallSources)

EDIT: I just tried this on my Chrome 23 install and it appears to do nothing.

~~~
SafdarIqbal
What's the location of the policy file in Linux?

------
nuttendorfer
Google also killed user scripts that are self-updating like 4chan x. Before
you would just click OK on a popup informing you that there was a new version
and you were done.

Now you have to drag the downloaded file into a tab with chrome://extensions
open.

I don't know why Google hasn't left a switch in to deactivate this "security
measure".

Edit: security measure is between quotes because I don't think anybody on HN
would fall for something like that easily.

~~~
danielweber
The scare quotes are unnecessary. This really is a security feature and will
undoubtedly help vast numbers of people.

A switch would be fine, though. You might submit a patch for that.

~~~
Karunamon
>This really is a security feature and will undoubtedly help vast numbers of
people.

This is the worst kind of "feature" (and a colossal personal annoyance), the
kind that breaks functionality and/or convenience because some people don't
know how to handle their browser. I know how to handle my browser. Why are you
making my life harder?

How about a switch for big kids who don't need their hands held?

Note: If your answer begins with the word "fork", you lose.

~~~
mayanksinghal
> because some people don't know how to handle their browser

Actually their argument is that most people cannot handle their browser.

> How about a switch for big kids who don't need their hands held? I think the
> GP already gave an answer to that. He agrees that there can be a switch. And
> to _submit a patch_ , you don't have to _fork_ :)

------
teh_klev
"I’m very disappointed to find that users can’t install userscripts directly
from the UserScripts.org – first they need to save the JS file locally and
then drag the file onto the Extensions page (chrome://chrome/extensions/)."

Bit of a misleading headline then?

~~~
Nerdfest
Yes, hopefully they haven't pulled a full Apple, like Microsoft has with their
'Metro' store. I don't think I can ever forgive them for making that sort of
lock-down acceptable.

------
franze
i was also very, very pissed at this ... until i discovered tampermonkey
[https://chrome.google.com/webstore/detail/dhdgffkkebhmkfjoje...](https://chrome.google.com/webstore/detail/dhdgffkkebhmkfjojejmpbldmpobfkfo)
they do userscripts right, and as userscripts are a "high end geek/nerd
application" anyway (i would guess only <0.1%[0] of all online users use
userscripts) i think it's justifiable to install this extension first (if
there is a security win for the rest of the 99.9%)

[0] if we guess that there are 2 279 709 629 wordwide internet users, then
this means there are still 2 279 709 userscript users.

------
DanielRibeiro
Note that you still can use userscripts[1], however you have to drag the crx
file into the extensions window, manually.

But userscripts.org's convenience was killed with this change. A change I find
to be very unfortunate.

[1] <https://github.com/defunkt/dotjs/issues/73>

------
ThomW
I'm kind of annoyed how it nuked the userscripts I had already installed
without any kind of warning. Would have been nice to have the choice before
they were all removed.

------
mrng
You can easily unpack any extension you've downloaded, and install them
manually (Check Developer mode > Load unpacked extension).

------
inghoff
Ironically, it sounds exactly like what Apple is doing with iOS/iPhone. "All
our apps should come from the app store because we review them and blah"
Considering Android's position of "you can install APKs, but at your risk," I
find this bizarre. Is Google slowly becoming Apple?

~~~
chmod775
You already have to tick a checkbox in the preferences before you can do so in
android. I could imagine something similar in chromium.

------
jdechko
An overreacting headline, no doubt. But reading the article, UserScripts.org
hasn't been killed, but the convenience factor is severely neutered.

~~~
humpolec
Also, userscripts are still perfectly usable under Firefox's Greasemonkey, as
well as Opera.

------
ryankshaw
Setting aside all of the political/philosophical objections to this decisions.
from a practical perspective, I would be completely fine with this decision if
they changed one thing:

Make it dead simple for me to go to the 'developer dashboard' in crome web
store and let me create a new extension by just uploading a whatever.user.js
file. Don't make me package it up, don't make me know what a crx file is. Let
me just hack together so JS to scratch my itch, and throw it up somewhere.

~~~
Evbn
You would still need a manifest for security. But yeah, having a combined .JS
format instead of a zipped folder would be nice.

------
grimgrin
Is this not in effect on Chrome Canary? I use two two Hacker News related
userscripts, and both are still working. Neither of them ever stopped working.

<http://userscripts.org/scripts/show/138469>
<http://userscripts.org/scripts/show/138037>

~~~
koenigdavidmj
They work; it's just more convoluted to install them at first.

------
crisnoble
Well I learned something awesome from this article:

"...userscripts are natively supported in Google Chrome without requiring
third-party add-ons... first they need to save the JS file locally and then
drag the file onto the Extensions page (chrome://chrome/extensions/).

------
rryan
From the bug report it looks like they will allow users to choose safe
software sources. Presumably this means you could add userscripts to this list
and regain the old functionality. It's just not done yet.

    
    
      This change was made to protect users. Off-store extensions have   
      become a popular attack vector for compromising users of larger 
      sites (e.g. Facebook). Since the trend is only getting worse, 
      we're putting the power back in the user's hands by allowing them 
      to control where extensions are installed from. By default, the
      Chrome Webstore is the only source, but users and administrators 
      will be able to add other safe sources as they see fit.

------
_seininn
what about people like me who can't or wont pay the 5$ webstore fee?

I suppose the only option left for me (and people like me) is to do what mrng
suggested and instruct users to download the unpacked version and install it
manually via dev. mode.

edit: it seems like there there is another way on
[http://support.google.com/chrome_webstore/bin/answer.py?hl=e...](http://support.google.com/chrome_webstore/bin/answer.py?hl=en&answer=2664769&p=crx_warning)
(click on "Steps on adding extensions from other websites"). it makes things
better, but it still complicates things for the user. way to go, google.

------
fooey
there's a switch to re-enable extra-store extensions that you can use for now

\--enable-easy-off-store-extension-install

------
erichocean
I wish there was a way for page authors to disable user scripts.

Yes, I realize that users can easily open up a console. I'm not afraid of the
users, I'm afraid of roque JavaScript being injected into a page that's
reading sensitive data and using it for nefarious purposes.

~~~
philfreo
That would suck! The whole point of user scripts is giving power users
convenient control over ANY page in their browser - regardless of what the
website owner thinks.

------
rthprog
I'm a bit disappointed that Google's alternative (the Chrome web store)
requires a fee, even if it's only $5.

It seems kind of silly for Google to ask for a fee to distribute a free
extension, especially since there is no way for a developer to distribute it
themselves.

------
spyder
So will they do this with the regular downloads too? Because you still can
download malwares with Chrome isn't? And extension developers who aren't
accepted in the Google "walled garden" can create a regular downloadable
software which forces their extensions into Chrome.

------
benburton
As someone who writes the occasional userscript in a github gist, I find this
to be really annoying. I understand the security perspective, but I think it
should be a bit easier to install your own scripts when you know what you're
doing.

------
buster
But userscrips.org is also for Firefox/Greasemonkey, is it not?

I never recognized or used userscripts.org with chrome (i did once or twice
with firefox).

So, it still has the firefox users which it was created for.

------
Groxx
Or they could release an extension which would install and run scripts from
UserScripts. Couldn't they? That would inline the whole process.

But yeah, I completely think this is actually, sadly, the correct choice.

------
css771
What's the big deal here? Anybody who wants to install other extensions can
still do so. How often do you install extensions from other sources anyway? I
think this is a good solution to the problem.

------
circa
Kind of a bummer. I still use a few GreaseMonkey scripts in Firefox and one of
the main reasons I still use some pages in FF. OinkPlus is still a great tool
for finding new music and artists.

------
mindslight
Try for an actual solution whereby most scripts have a few fine-grained
capabilities or can only modify specific sites? Better UIs so that people are
informed of what an addon is capable of? nah...

Security is hard; let's make shopping!

~~~
aboodman
We have that: [http://www.chromium.org/developers/design-documents/user-
scr...](http://www.chromium.org/developers/design-documents/user-scripts). See
@match.

Not enough users read or care about fine-grained capabilities.

~~~
mindslight
How good is the UI that points out the contraction of "Facebook style changer"
wanting to modify _all_ sites? And does this dialog include a warning for
extensions that are able to record all activities and phone them home to third
party servers, a combination of capabilities that most extensions should not
need? There's certainly underlying work that needs to be done to make the
latter a reality, but at least trying to solve the problem is better than
giving up and falling back to centralized computing.

It's true that users have been desensitized to important decisions through an
onslaught of mswin uninformed-consent OK/Cancel dialogs, but at some point
they have to be responsible for sensible security decisions (even if that just
means downloading Chromium from google.com and not google.com.ojwqodkja.ru).
The only way to completely protect a user from themselves is to revert their
computer into an unmodifiable display terminal, an idea that should be
appalling to anybody who values the concept of a _personal computer_.

------
eschulte
To keep you safe we've restricted your freedom.

~~~
ams6110
That's generally how all safety efforts work.

------
drivebyacct2
This was done a while back, was it not?

edit: I may not have been thinking clearly, I forget that I stay on the Dev
channel.

~~~
qntmfred
yes, i noticed it several weeks ago

