GreaseMonkey is a Firefox extension that allows you to add “user scripts”: bits of JavaScript which are attached to a particular URL or set of URLs that run when that URL is visited. In essence, it’s like having a bookmarklet that does something useful to a page and having that bookmarklet automatically run when certain pages are visited. With the powers of introspection that come from the DOM, JavaScript can make any changes to a page that it likes, and this is where GreaseMonkey comes in very handy. There’s already a repository of useful user scripts that implement customisations to certain sites, from showing prices inclusive of tax on EBay UK to fixing IE-specific bits in the MSDN documentation.

One of the most powerful, though, is Mihai Parparita’s “Add Persistent Searches to GMail”. The script gives GMail the “saved searches” or “virtual folders” feature from desktop mail clients such as Thunderbird, Evolution, or It works by adding a new HTML block to the page which contains your “saved searches”: these searches themselves are saved in a cookie and the cookie is loaded by the script. The script uses Ajax techniques to fetch the number of messages in each saved search in order that they can be dislayed in the HTML block, and updates those figures every two minutes. I can imagine this being rolled into GMail at some point in the future, but until then GreaseMonkey provides the ideal way to prototype such functionality (as the “Edit styles” bookmarklet or the Edit CSS part of the web developer toolbar do for CSS) and to distribute it out to early adopters.

  • That is freakin’ brilliant. GreaseMonkey (and bookmarklets) add a whole new angle to the idea of rich web applications – the JavaScript on the site becomes an API for customising the applications. The Google Maps bookmarklets are another great example of this.

  • Impressive stuff.
    I have wanted to know more Javascript for a while, but I now I don’t have to as my visitors can just write their own ;)

  • sil

    Yes indeed. This sort of thing works well as long as you have a well-defined URL API for getting at data (examine for the best example). If, for example, GMail used some complex URL scheme which wasn’t stable and didn’t have the same URLs for a given search (it added loads of “session ID” stuff or whatever) this would be a lot harder to write. This is why a good URL API is important, why REST is great, and why SOAP etc is a lot more of a pain, because you need SOAP built in to the browser to use it in this sort of situation.

  • See, i can definately agree thats great and all, i mean your giving yourself features that you don’t have provided, BUT, from a webdevelopers standpoint doesn’t this concern anyone? I mean I use a lot of things like the way forms are passed around and html along with my programming language to ensure some security. For one thing if someone gets in there and starts monkeying around (no pun intended) theyre going to more than likely screw a lot of stuff up before theyre going to get it right, which could mean bad data getting in the db, could mean security problems. While its cool, I don’t really see this as any different than another form of hacking, that personally I feel shouldn’t be allowed.

  • Jim

    You should not be expecting any sort of security when your passing around forms. If you’re relying on anything that can be reached through the DOM and javascript to protect you, you really need to invest in learning better security practices. If you’re not validating user input with anything other than javascript, for instance, what do you do with someone who has it disabled?

    People should be able to do what they want to a page in their browser, as long as they don’t get on your server to do it for everyone ;).

  • Jeremy Dunck

    A responsible web app developer should not expect valid data from the browser. At all.
    You can use client side JS and specific data modelling to improve user experience, but the only thing you (the developer) really control is the server, and that’s where trust needs to be established.

  • Jeremy Dunck

    You know, I was just wondering how long it might be before they think to implement URL-per-message and URL-per-conversation.

    Authenticated, of course.

    I just felt a need to refer to a previous email in a note to myself, and it sure would have been handy to refer to it by identifier.

  • boogs


    The most important thing to remember when developing web applications is that you can never trust the client. I can’t count the number of times when this has been drilled home by older, wiser souls.

    Even though you are used to looking at it in a browser, where the inputs are somewhat controlled, other people are not.

    Anything you put on a server is accessible to anyone using any client. It is literally impossible to keep non-browser user agents from monkeying with your public website. This is the entire idea of the web, and it is how great services like search engines are possible.

    The solution is to stop making these assumptions, not to ban useful extensions like gm.

    full disclosure: i wrote the initial verison of gm.

  • I think Ryno’s got it now, after 3 paraphrased explanations ;-)

  • I think Ryno’s got it now, after 3 paraphrased explanations ;-)

    If this were any other explination, I’d say it’s overkill. Unfortunately, not validating data on the server is the #1 reason for security breaches in websites. It accounts for something like 90% (or so I remeber form smewhere) of security breaches.

    So, once again: We can never, ever, ever, ever trust what the browser will give us (Except in intranet apps)

    I love to see developments like this, as I use bookmarklets constantly :)

  • stylo

    I just installed it on ff1.01 and can’t edit/add any urls in the options dialogue for where the script is applied. Add and edit buttons do nothing. Can delete the sites it is applied to already, however. Something wrong. Any ideas?

  • NightFallTech

    It never ceases to amaze me how many people persist in relying on client side authentication. If it’s running on an environment that somebody else can control, then you can’t trust it, end of story.

  • sil

    Brak: in a world where something like 80% of security breaches are internal, you can’t trust the client in intranet apps either…

    Don’t trust the client. I think everyone’s being very clear about this :-)

  • This is to me the best extension for ff so far. As a webdeveloper/programmer i use the webdev-toolbar which is nice. But finaly target”_blank” is history, and so is people writing url’s outside hyperlinks. It simply improves the overal experience of the internet.

    The only “bad” thing as a webdeveloper this brings is that using it while developing can blind me for errors or potential errors.

    In the end: two thumbs up for GreaseMonkey.

  • Sorry guys for waiting so long to reply, I thought it would send me an email or something. Looks like im being bashed in here so let me clarify a few things. I definately, most certainly do more validation than just js or forms or the such. That is not my point. My point is that you are changing a page, changing the functionality of it. Its one thing to apply your own stylesheet to a page, thats just the way it looks. But were talking about a “feature” that gmail obviously hasn’t seen fit for one reason or another to included.

    Look at googles autolink feature in the toolbar for example. Webdevelopers everywhere are upset about the fact that its going to be changing the page to create links, links they did not approve. Yet this gm is doing the very same type of thing.

    And let me just reiterate my statement once again, cause man if 20 stinking people in the comments didn’t say the same dang thing: I don’t rely on js validation, or anything the client gives me, I use coldfusion server side validation ON EVERYTHING.

    What if gmail hasn’t given this “feature” you are adding to everyone for a reason? What if they are worried about serverload (probably not if youre storing it as a cookie), but you see what im getting at.

    I guess im just oldfashioned and say that if you want to see a feature on a web application, email them and tell them about it.

  • You are missing some of the points that have been made.
    It has always been possible to manipulate a site as you want, after all, you have the client code and can do whatever you like with it before viewing it. I have actually seen an entire browser made just for ONE site, with special features to ease the use of this site. In that particular case it was a browserbased rts game.

    The point is that this can be done, wether you like or not. I as a webmaster/webdeveloper/programmer can somewhat understand your worry about users creating features you did not want them to have, and then you cant blame GM for it, rather the http protocol, GM just makes it easier to do this.

    This can also help push sites forward, if users can add a feature for your site you will have more pressure to implement that feature to the site yourself for everybody.

    Im just thrilled that i, as a user, will not have to deal with non-clickable urls and links that opens in new windows.

  • Actually, looking back through, the only point that has been made in here is not to trust client side validation.

    Honestly, do you think the minority of people who know enough to install and use gm are going to make a dent in how gmail does things? I say a minority in comparison to the millions out there that use gmail and wont be savvy enough to do this.

    Again, I point to the google toolbar which I have read countless accounts of webmasters being forcefully against, yet it is the very same thing being used here.

    Again, I don’t see a distinction here between this and hacking. We aren’t talking about just using a different stylesheet, were talking about using an unpublished API to change the functionality of a website.

    Also, I need to point out that in gmails program policies found at
    it states:
    In addition to (and/or as some examples of) the violations described in Section 3 of the Terms of Use, users may not:
    Modify, adapt, translate, or reverse engineer any portion of the Gmail Service
    Reformat or frame any portion of the web pages that are part of the Gmail Service

    Not sure if the last one applies to this, but im pretty darn sure that the first one does.

  • I can agree that the gmail policy seems to raise some discussion.
    But aslong as a “terms of use” is not presented to the user that contains something against this, you have the right to do this.

    A simple case:
    I dont understand the language gmail uses, so i have someone translate it for me and i use this translationsheet to be able to read the site. Now, this is actually breaking their policy! I dont think that is intended, but it certainly is a valid interpretation.
    Now, what if i create a script using GM that translates it directly for me, no more need to look up every sentence. Its basicaly the same thing, just different methods.

    I can hardly see the policy intended to not let me do that.

    I must also admit that since i dont use gmail i havent tried the GMscript for it.

    What i find very funny is that by gmail policies the google toolbar is breaking their own policy. It does reverse engineer the pagerank (discussable i guess).

    Back to the point.
    Browsers have never followed the w3standards perfectly, so each pageview can differ alot from what browser you use.
    FF is not perfect either, it has its nasty bugs as all of them.
    GM can actually be something that we will see more of in the future. Let the user decide how it looks and feels. And it is limited how much extra functionality you actually can create, you have to work with the data you have been given from the server.

  • I am not sure I even understand what you mean. Translating a page is much different that using an unpublish api to change the functionality. And I definately dont understand what you mean by the google toolbar reverse engineering the pagerank…It is googles pagerank, they made it they don’t have to reverse engineer it…

    Again, we aren’t talking about how a downloaded html page is displayed in our browsers, we are talking about using internal gmail functions in a way they were not intended.

    And please clarify your second sentance for me, “but aslong as a “terms of use” is not presented to the user that contains something against this, you have the right to do this.” I understand that you don’t have gmail, but surely you understand that to use gmail you are agreeing to their terms of use, which contains the line I stated above.

  • There’s a big difference between one company being able to control millions of web pages for millions of users through an on by default feature of their already popular software, and a system where people individually install small scripts to change minor parts of site functionality.

    GM scripts are opt-in — you install a script when you want to use the precise functionality, whereas the Google toolbar rewriting is a feature most users probably won’t even be aware of and which is used by default. Opt-out.

    In any case, the ultimate control with the GM scripts resides with the user, whereas the ultimate control with the google toolbar resides with, well, Google.

    As an aside, how often have you seen Google actually use those terms of use to stop someone using their services? To my mind, it’s obviously there as a catch all in case people do implement services they find unacceptable — if there is a service publically available that they haven’t used the TOS against, then they obviously don’t mind it.

  • A small typo in the original post: there is not (yet) a Greasemonkey script for eBay UK — it’s for UK.

  • stylo

    Not that I like the autolinks, but indviduals have to download and install the googlebar too, but anyway, far more importantly (for me at least):

    “I just installed greasemonkey on FF1.01 and can’t edit/add any urls in the options dialogue for where the script is applied. Add and edit buttons do nothing. Can delete the sites it is applied to already, however. Something wrong. Any ideas?”

    Anyone else the same?

  • So you mean to tell me that because google does it more that its a different story? So someone who only murders once isnt as bad as someone who is a serial killer?

    And so youre saying that when you install the google toolbar and agree to the terms of service that you aren’t opting in? that just because you aren’t observant enough that its considered opting out?

    And just because no-one has been caught yet, you feel like google feels it is acceptable? You think that because they haven’t called their lawyers to send you a cease and desist letter, or simply deactivated your account, most likely because they just haven’t noticed *yet* that that constitues them considering it acceptable? Just because you haven’t been caught yet, doesn’t mean it isn’t wrong. And just because google offers something in a toolbar readily available to millions doesn’t make them any more responsible for their actions than a piece of software available only to two.

  • You’re getting far too upset about this — or at least sound like it. This isn’t life or death, it’s etiquette.

    And yes, I do feel Google finds current uses acceptable. If they cared, they could easily build tools to check whether people are breaching their TOS, just like they do with adsense. they haven’t, which tells me that they simply aren’t bothered. If they’re not bothered, why should I be?

    As for opting in by downloading the google toolbar, that’s an entirely different story. People don’t read TOS. It simply doesn’t happen. People see a new version of a tool they like, a tool which they already use and download an update, and suddenly sites are rewritten all over the place.

    With GreaseMonkey, a user specifically opts in to each exact behaviour and service, because they individually pick the scripts they install — it doesn’t come with a large bundle all installed by default.

    Oh, and I simply can’t resist: “Someone who murders once isn’t as bad as someone who is a serial killer?” No shit, sherlock. That’s not to say that someone who kills once is good, but as bad? Please. Let’s ignore the fact that if you kill once it could be an accident something you bitterly regret and will never do again, whereas a serial killer is someone who chooses to kill repeatedly.

    Leaving that aside, how could a sane person possibly say that somebody has murdered once, so now they can murder again as many times as they want without being ‘worse’?

  • LiquidBrain

    This is great idea, BUT!!!
    Leting other people doning you job it is really stupid. What if 5 of your client need some funcionality and only one is able to wite that code and use it?

  • Rynoguill: you are mixing up right/wrong with allowed/not-allowed.
    Any commercial license like this will try and cover every possibility – just because you think that something might be covered doesn’t mean it will get you in trouble. The toolbar is a perfect example: if it is useful to the original developer it is okay as long as it doesn’t break anything.

    To get back on topic, the big issue is with Google’s new link modification feature – that is not under control of either the page author or the user, these are the only people who have the right to modify a page, not a middle-man like Google, unless they are _completely_ open, as they are with their page translations services.

  • awwaiid

    Sure — the application should never trust the response from the client, until that data has been cleaned and looked over.

    But there is another question here — with said man-in-the-middle scripts, can the client trust the server? Or rather, can you trust the man in the middle?

  • F. Dewhurst

    Wish Gmail Had a Delete Button?

  • i remembered this post here about greesemonkey… just wanted to let everyone know of an awkward downside of using this tool. for some awkward reason, it was inserting content into rich text editors that our company is using. it would eventually get inserted into the database… which then gets out-putted to a front end… which causes a js error when loaded. … all because i installed GreeseMonkey. So. All for that, I had to uninstall it. But besides that, it still sounds pretty cool.

Get the latest in JavaScript, once a week, for free.