This is cool. I worry about the fact that it is downloading code over HTTP. Of course userscripts.org does this too, but the regular updates this fires off make it easier to attack.
I wish that we could access us.o scripts over SSL, but right now it looks like there is a certificate mismatch. - a On Fri, Feb 27, 2009 at 5:25 PM, Mislav <[email protected]> wrote: > > Hello gm hackers, > > I'd like to share the update checker script that I developed for > Endless Tweets. This is how it looks in the wild: > http://skitch.com/mmarohnic/bgkkd/update-notification-on-endless-tweets > > I'm re-using the same visual element Twitter uses for informing their > users about planned downtimes and other important messages. The link > leads to the script's description page on userscripts.org so that the > person can inspect the changelog before updating. > > The generic code is here: http://gist.github.com/71807 (example usage > in the bottom) > > What it does is that it periodically (every 2 days) checks the script > source on userscripts.org -- but it doesn't fetch the whole source; > instead if makes a HEAD request (very lightweight, fast) to only get > the HTTP headers for the script file. The length in bytes is then read > from the "Content-Length" header and compared to the current script > length -- if they differ, we have an update, so the callback is > processed and periodical checking halts until the user has installed a > newer version. > > The only drawback I see with this method is that the script cannot > know its length in bytes at runtime, so you have to hardcode this > value in the script itself prior to every push on userscripts.org. > > The other drawback is it relies on cross-domain XHR ability so it > can't have effect in Safari or Fluid where GM_xmlhttpRequest is > unavailable. > > Does anybody know how could one make an updater for these browsers? > Endless Tweets otherwise runs just fine on Safari and Fluid because it > emulates GM_xmlhttpRequest with XMLHttpRequest and re-implements > GM_addStyle/getValue/setValue if they're undefined. > > Perhaps userscripts.org could implement a JSON-P API that would return > this information about the script, so that we could request this even > if we have to bypass same-domain restrictions? > > Thanks, > # Mislav > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "greasemonkey-users" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/greasemonkey-users?hl=en -~----------~----~----~----~------~----~------~--~---
