討論 » Greasy Fork 回應

Code使用了一个未经批准的外部脚本

§
發表於:2025-04-04

脚本同步失败 - Code使用了一个未经批准的外部脚本:@require https://f9y4ng.github.io/GreasyFork-Scripts/lib/frColorPicker.js#sha256-5qwlU92m9JJzPnwytGBsLkwXoqPnnrjKFATILied8Os=

Since greasyfork is blocked by the Chinese government, all calls to @require resources at the greasyfork address will cause TM to delay loading the script for tens of seconds, so I need to update to the new address. However, when updating, I was prompted: "Code is using an unauthorized external script".

Why are external addresses in scope not supported?

Scripts with subresource integrity hashes Use of @require and @resource with URLs with subresource integrity in the Tampermonkey format is allowed.

https://greasyfork.runtimutd.eu.org/en/help/external-scripts?locale_override=1#:~:text=Scripts%20with%20subresource%20integrity%20hashes

§
發表於:2025-04-19

https://greasyfork.runtimutd.eu.org/en/help/cdns

you can use this https://www.jsdelivr.com/github

jsdelivr is not blocked in China

§
發表於:2025-04-19

https://greasyfork.runtimutd.eu.org/en/help/cdns

you can use this https://www.jsdelivr.com/github

jsdelivr is not blocked in China

Thanks, @𝖢𝖸 𝖥𝗎𝗇𝗀.

The file I referenced was not a standard librarie, and it was not released, So jsdelivr cannot generate links that comply with greasyfork external link rules. I've changed the references back to the Greasyfork librarie so that those third-party mirror sites can automatically mirror the library files as well. The only thing is that the update can't use github webhook, just have to update it manually.

The only thing I can't understand is that since the external link site supports subresource integrity hashes in the rules, but it actually refuses, and I don't understand what this is doing.

§
發表於:2025-04-20

it was not released, So jsdelivr cannot generate links that comply with greasyfork external link rules.

You don't need to release.

Your file is hosted in https://github.com/F9y4ng/GreasyFork-Scripts/blob/master/lib/frColorPicker.js

Your raw file is https://raw.githubusercontent.com/F9y4ng/GreasyFork-Scripts/refs/heads/master/lib/frColorPicker.js


Since Greasyfork needs commit-specific version. Your last commit is https://github.com/F9y4ng/GreasyFork-Scripts/tree/eed6c82925c3bae43229b9aa57ea00affcbea00b

https://github.com/F9y4ng/GreasyFork-Scripts/blob/eed6c82925c3bae43229b9aa57ea00affcbea00b/lib/frColorPicker.js

-> https://raw.githubusercontent.com/F9y4ng/GreasyFork-Scripts/eed6c82925c3bae43229b9aa57ea00affcbea00b/lib/frColorPicker.js


Then use https://www.jsdelivr.com/github

Paste https://raw.githubusercontent.com/F9y4ng/GreasyFork-Scripts/eed6c82925c3bae43229b9aa57ea00affcbea00b/lib/frColorPicker.js and generate

It becomes https://cdn.jsdelivr.net/gh/F9y4ng/GreasyFork-Scripts@eed6c82925c3bae43229b9aa57ea00affcbea00b/lib/frColorPicker.js


When you update the script, change eed6c82925c3bae43229b9aa57ea00affcbea00b to the newer commit. jsdelivr will also fetch the latest and make it "CDN"


GreasyFork (Jason) trusts the website domain more than subresource integrity hashes

Also he encourages developers to use CDN links and GreasyFork library. The files in these sources look "secure". If you put files in your arbitrary domain, they could be dangerous scripts.

§
發表於:2025-04-20

https://cdn.jsdelivr.net/gh/F9y4ng/GreasyFork-Scripts@eed6c82925c3bae43229b9aa57ea00affcbea00b/lib/frColorPicker.js

Haha, this so-called security measure is very self-deception, which is ironic. However, thanks for your advice. @𝖢𝖸 𝖥𝗎𝗇𝗀

Also, if GF does not support subresource integrity hashing, don't mislead others on the guidance page referenced by external scripts.

JasonBarnabe管理員
§
發表於:2025-04-20

Use of @require and @resource with URLs with subresource integrity in the Tampermonkey format is allowed.

Tampermonkey format:

// @require https://code.jquery.com/jquery-2.1.1.min.js#md5=45eef...

The separator between the hash format (md5, sha256, etc.) and the hash is =, not -.

§
發表於:2025-04-20

Use of @require and @resource with URLs with subresource integrity in the Tampermonkey format is allowed.

Tampermonkey format:

// @require https://code.jquery.com/jquery-2.1.1.min.js#md5=45eef...

The separator between the hash format (md5, sha256, etc.) and the hash is =, not -.

I have seen the similar discussion before in Greasy Fork. - shall be acceptable as this is well recongized by the major userscript managers.

https://www.tampermonkey.net/documentation.php?locale=en#api:Subresource_Integrity

JasonBarnabe管理員
§
發表於:2025-04-20

Doesn't look like so much as forgotten as incomplete, because I did make a change.

JasonBarnabe管理員
§
發表於:2025-04-21

Yeah, I did try to support it, and even added tests for it, but the tests passed because I was using a URL that would be allowed even without the hash. I've fixed it now.

發表回覆

登入以回覆