英文:
Prevent sharing of TamperMonkey script beyond certain users
问题
我在想是否可以与特定人分享一个TamperMonkey脚本,并使用他们的指纹,以便他们无法与其他人分享该脚本。这可能吗?
英文:
I was wondering if it is possible to share a TamperMonkey script with only certain people and use their fingerprints so they can't share the script with anyone else. Is it possible?
答案1
得分: 1
没有绝对可靠的方法。对于感兴趣并足够熟练的人来说,他们将能够找到绕过您设置的任何保护措施的方法。用户脚本在客户端机器上运行;客户端机器必须拥有代码才能运行它,而客户端对自己的机器有完全控制,因此了解浏览器和用户脚本工作原理的人可能会找到一种绕过方法。
但是,您可以使脚本更难分享。一种可能性是,用户脚本本身(包括元数据块等)不包含实际有趣的代码,而是仅包含远程从您控制的服务器获取文本的代码。然后,如果用户被允许运行脚本,您的服务器将用实际的代码进行响应,如果是这样,用户机器上的用户脚本将运行脚本响应(例如,使用附加的<script>
标签,或类似的方式)。
要确定特定客户端是否应该获得脚本,您可以设置一个登录系统。要求用户在最初请求脚本时发送他们的凭据。然后不仅在服务器上的数据库中验证这些凭据,还要与浏览器指纹和用户已知的IP地址进行验证。只有当这三者都匹配时才发送代码。(首次注册用户时,您需要以某种方式获取他们的IP地址,例如通过向他们发送到您站点的个性化链接。)
这使得您的脚本更难分享,因为如果用户只是与其他人分享原始脚本,它将无法正常工作。如果用户分享原始脚本以及他们的网络连接,除非浏览器具有相同的指纹,否则它也不会工作。但足够聪明的人将知道他们可以打开浏览器的开发工具并访问代码的主体部分,然后分享它。
还有其他方法,但对于您作为脚本作者来说,这仍然需要很多工作,从根本上来说,这不是一个可以解决的问题。依我看,不要费心;拥抱开源。
英文:
No approach is foolproof. Someone who's interested and skilled enough will be able to find a way past whatever protection measures you put in place. Userscripts run on the client's machine; the client machine must possess the code in order to run it, and the client has full control of their own machine, so someone who knows a bit of how browsers and userscripts work will probably be able to figure out a workaround regardless.
But you can make it harder for a script to be shared. One possibility would be for the userscript proper (with the metadata block and such) to not contain the actual interesting code, but to instead only contain code that remotely fetches text from a server you control. Your server then responds with the actual code if the user is permitted to run the script, and if so, the userscript on the user's machine runs the script response (for example, with an appended <script>
tag, or something like that).
To identify whether a particular client should be given the script, you could set up a login system. Require the user to send their credentials when initially requesting the script. Then validate those credentials not only in the database on your server, but also against a browser fingerprint, and also against the known IP address(es) of the user. Only send the code if all three match. (When signing up a user for the first time, you'll need to get their IP address somehow, such as by sending them a personalized link to your site.)
That makes it harder for your script to be shared because if the user simply shares the original script with someone, it won't work. If the user shares the original script and their network connection, it won't work unless the browsers have identical fingerprints. But someone intelligent enough will know they can open their browser's devtools and gain access to the meat of the code, and share that.
There are other approaches, but that's still a lot of work for you, the script-writer to implement, and fundamentally, this is not a solvable problem. IMO, don't bother; embrace open source.
答案2
得分: 0
代码部分不需要翻译。以下是要翻译的文本:
"The whole point of a script is that it's some text that has meaning to a computer. There's nothing you can do to stop someone from simply copying and pasting, and thus nothing stopping them from sharing it. However, while you can't really stop anyone from sharing the script, there are some things you can do to get in their way."
"Using real biometric fingerprints would be really hard, considering most computers do not have a fingerprint sensor and from a permissions standpoint. It'd be best to only allow some browser fingerprints instead. Using some advanced techniques, some smart people found out that you can run some JS code and get a number that is unique to the running browser each time. Consider looking into a package like 'get-browser-fingerprint' to get browser fingerprints and simply quitting the script if the fingerprint doesn't match one of the presets."
"However, anyone can still just change the code to remove this protection, so you'll want to obfuscate the whole script. This means running it through a program that makes it really ugly and really confusing, but still runnable. Obfuscation is reversible, but it takes quite a bit of work. Here's an example from this online JS obfuscator:"
"console.log('hi');"
"becomes"
"var _0x2be90f=_0x337b;function _0x5af6(){var _0x1cec7f=['17774990EijQlt','7657191Hbnsrq','10meabHV','328mRoSjv','3366273JDQtfM','1855566rgrUtg','960084UnADqG','1NcwfoY','135282VOtoAu','log','2552244wDCqcA'];_0x5af6=function(){return _0x1cec7f;};return _0x5af6();}function _0x337b(_0x2fbccd,_0x5871c5){var _0x5af66a=_0x5af6();return _0x337b=function(_0x337b45,_0x43fff6){_0x337b45=_0x337b45-0x174;var _0x574e2d=_0x5af66a[_0x337b45];return _0x574e2d;},_0x337b(_0x2fbccd,_0x5871c5);}(function(_0x58a2b9,_0x3115b5){var _0xbf3873=_0x337b,_0x2fa375=_0x58a2b9();while(!![]){try{var _0x4bd27c=parseInt(_0xbf3873(0x17d))/0x1*(-parseInt(_0xbf3873(0x17b))/0x2)+parseInt(_0xbf3873(0x17a))/0x3+-parseInt(_0xbf3873(0x17c))/0x4+-parseInt(_0xbf3873(0x178))/0x5*(parseInt(_0xbf3873(0x175))/0x6)+-parseInt(_0xbf3873(0x17e))/0x7*(-parseInt(_0xbf3873(0x179))/0x8)+-parseInt(_0xbf3873(0x177))/0x9+parseInt(_0xbf3873(0x176))/0xa;if(_0x4bd27c===_0x3115b5)break;else _0x2fa375'push';}catch(_0x381ba4){_0x2fa375'push';}}(_0x5af6,0xc8d4d),console_0x2be90f(0x174);"
"And, finally, if you want to use the Big-Tech approach, then threaten your friends with legal action for violating your copyright on the script if they share it (this is a joke)."
英文:
The whole point of a script is that it's some text that has meaning to a computer. There's nothing you can do to stop someone from simply copying and pasting, and thus nothing stopping them from sharing it. However, while you can't really stop anyone from sharing the script, there are some things you can do to get in their way.
Using real biometric fingerprints would be really hard, considering most computers do not have a fingerprint sensor and from a permissions standpoint. It'd be best to only allow some browser fingerprints instead. Using some advanced techniques, some smart people found out that you can run some JS code and get a number that is unique to the running browser each time. Consider looking into a package like get-browser-fingerprint
to get browser fingerprints and simply quitting the script if the fingerprint doesn't match one of the presets.
However, anyone can still just change the code to remove this protection, so you'll want to obfuscate the whole script. This means running it through a program that makes it really ugly and really confusing, but still runnable. Obfuscation is reversible, but it takes quite a bit of work. Here's an example from this online JS obfuscator:
console.log('hi');
becomes
var _0x2be90f=_0x337b;function _0x5af6(){var _0x1cec7f=['17774990EijQlt','7657191Hbnsrq','10meabHV','328mRoSjv','3366273JDQtfM','1855566rgrUtg','960084UnADqG','1NcwfoY','135282VOtoAu','log','2552244wDCqcA'];_0x5af6=function(){return _0x1cec7f;};return _0x5af6();}function _0x337b(_0x2fbccd,_0x5871c5){var _0x5af66a=_0x5af6();return _0x337b=function(_0x337b45,_0x43fff6){_0x337b45=_0x337b45-0x174;var _0x574e2d=_0x5af66a[_0x337b45];return _0x574e2d;},_0x337b(_0x2fbccd,_0x5871c5);}(function(_0x58a2b9,_0x3115b5){var _0xbf3873=_0x337b,_0x2fa375=_0x58a2b9();while(!![]){try{var _0x4bd27c=parseInt(_0xbf3873(0x17d))/0x1*(-parseInt(_0xbf3873(0x17b))/0x2)+parseInt(_0xbf3873(0x17a))/0x3+-parseInt(_0xbf3873(0x17c))/0x4+-parseInt(_0xbf3873(0x178))/0x5*(parseInt(_0xbf3873(0x175))/0x6)+-parseInt(_0xbf3873(0x17e))/0x7*(-parseInt(_0xbf3873(0x179))/0x8)+-parseInt(_0xbf3873(0x177))/0x9+parseInt(_0xbf3873(0x176))/0xa;if(_0x4bd27c===_0x3115b5)break;else _0x2fa375['push'](_0x2fa375['shift']());}catch(_0x381ba4){_0x2fa375['push'](_0x2fa375['shift']());}}}(_0x5af6,0xc8d4d),console[_0x2be90f(0x174)]('hi'));
And, finally, if you want to use the Big-Tech approach, then threaten your friends with legal action for violating your copyright on the script if they share it (this is a joke).
答案3
得分: -2
我不了解TamperMonkey,但我会提出一个想法...
我向用户提供某项特定的服务(客户端),要求捐赠,为了确保该服务仅在他们的计算机系统上运行,而不在其他地方运行,我会检查他们的MAC地址,这个地址可以通过node.js访问,我可以在我的项目环境中利用它。
希望这有所帮助。
英文:
I don't know anything about TamperMonkey but I'll post an idea anyway...
I offer a certain service to users (client-side) subject to a donation and the way I ensure it only works on their computer systems and no other, is to check their MAC address which is accessible to me thanks to node.js which I can utilize in my project's environment.
I hope this helps.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论