这1000万用户该怎么办?

Chrome开发团队,2018年11月18日发出了Manifest V3的草案,共19页:

其中有一个重要的改动是即将限制 webRequest 的能力,目的是为了更好的保证Chrome用户的安全,对于普通的插件开发者来说可能并不重要,但是对于严重依赖此API的开发者绝对是噩耗。

代表插件就是 Tampermonkey ,中文就是“油猴”。

1. 为何对它影响那么大呢?

2. 为何作者忍不住发声?

因为油猴是一个用户脚本管理器,依赖此API远程下载脚本(至于脚本可以干什么,可以实现的功能太多了,可以自己搜一下)。所以1月28日作者 Jan Biniok 在 chromium-extensions 论坛上发表如下:

Hi Chromium developers, Hi Devlin

I'm the Tampermonkey developer and I have not studied all the planned changes in detail yet, but this is the one that worries me most. > Beginning in Manifest V3, we will disallow extensions from using remotely-hosted code. This will require that all code executed by the extension be present in the extension’s package uploaded to the webstore. Server communication (potentially changing extension behavior) will still be allowed. This will help us better review the extensions uploaded, and keep our users safe. We will leverage a minimum required CSP to help enforce this (though it will not be 100% unpreventable, and we will require policy and manual review enforcement as well). While the text above might be interpreted in a way that an extension like Tampermonkey can continue to exist, I got the following explanation from Devlin in an email: > Note that we will be limiting remotely-hosted/arbitrary code execution in all contexts. The goal is that we should be able to perform an in-depth security review of an extension and be confident in what it does and whether it poses a security or privacy risk to users (which is possible through web page contexts, as well). But let's move this conversation to another thread. :) I understand the need for security, but this means that V3 P1, in the way it's currently planned, will stop Tampermonkey from working entirely, because arbitrary code execution is Tampermonkey's main functionality. Every little userscript would then have to become an own extension. Anyone who wants to do that has to pay $5 to be able to publish an extension. There are so many use cases for userscripts so I hope that this planned change is reconsidered. One possibility would be e.g. a new permission that relaxes this constraint and allows remote code execution again. All extensions with this permission could then be provided with a special warning and be examined more intensively. What do you think? I've been working on Tampermonkey since Chrome version 4 or 5 and I could not live without it anymore. :) Thanks, Jan

从声明中看出,作者很是担心此次草案的修改,并说从Chrome V4或5的时候就开始开发油猴,现在已经离不开它了。

美国网站 bleepingcomputer 1月22日早些时候发过对uBlock影响的报道

接着1月28日又发表一篇文章:

油猴现在有用户超过1千万,用户脚本超过40万,支持多种浏览器:

所以此次范围不仅影响了开发者,同时对广大用户也是一个不好的消息。

目前还是草案阶段最后的内容还没有定下来,让我们静静的等待!

原文发布于微信公众号 - 前端黑板报(FeHeiBanBao)

原文发表时间:2019-01-30

本文参与腾讯云自媒体分享计划,欢迎正在阅读的你也加入,一起分享。

发表于

我来说两句

0 条评论
登录 后参与评论

扫码关注云+社区

领取腾讯云代金券