Recent changes to unsafeWindow

unsafeWindow modified by mmartz

mmartz — Fri, 09 Aug 2019 19:42:40 -0000

--- v13
+++ v14
@@ -1,5 +1,5 @@
 [toTop]: #content_base "Top"
-[toBottom]: #site-footer "Bottom"
+[toBottom]: #notes "Bottom"
 ## Description

 This [API](Greasemonkey_Manual:API) object allows a [User script](User_script) to access "custom" properties--variable and functions defined in the page--set by the web page. The `unsafeWindow` object is shorthand for `window.wrappedJSObject`. It is the raw window object inside the XPCNativeWrapper provided by the Greasemonkey [Sandbox](Sandbox).
@@ -188,4 +188,4 @@

 BUG: In Firefox 3.0.x the `prototype` field will always be `undefined` for objects accessed through `unsafeWindow`. [Method 1](#method-1) can be used as a workaround for this problem.

-[⬆][toTop] [⬇][toBottom]
+[⬆][toTop]

unsafeWindow modified by mmartz

mmartz — Mon, 05 Aug 2019 14:03:11 -0000

--- v12
+++ v13
@@ -18,8 +18,8 @@

 Value: Object
 Returns: Variant
-Compatibility: [Greasemonkey 0.5b+](Version_history#0.5_beta)
-Access: [@grant](Metadata_Block#grant)
+Compatibility: [Greasemonkey 0.5b+](Version_history#05-beta)
+Access: [@grant](Metadata_Block#grant)

 [⬆][toTop] [⬇][toBottom]

unsafeWindow modified by mmartz

mmartz — Mon, 05 Aug 2019 14:01:52 -0000

--- v11
+++ v12
@@ -6,7 +6,7 @@

 * **USE OF UNSAFEWINDOW IS INSECURE, AND IT SHOULD BE AVOIDED WHENEVER POSSIBLE.**

-`unsafeWindow` bypasses the Greasemonkey XPCNativeWrapper-based [Security](Security) model, which exists to make sure that malicious web pages cannot alter objects in such a way as to make greasemonkey scripts *(which execute with more privileges than ordinary JavaScript running in a web page)* do things that their authors or users did not intend. User scripts should therefore avoid calling or in any other way depending on any properties on `unsafeWindow` - especially if they are executed for arbitrary web pages, such as those with [@include](Metadata_Block#include), where the page authors may have subverted the environment in this way.
+`unsafeWindow` bypasses the Greasemonkey XPCNativeWrapper-based [Security](Security) model, which exists to make sure that malicious web pages cannot alter objects in such a way as to make greasemonkey scripts *(which execute with more privileges than ordinary JavaScript running in a web page)* do things that their authors or users did not intend. User scripts should therefore avoid calling or in any other way depending on any properties on `unsafeWindow` - especially if they are executed for arbitrary web pages, such as those with [@include](Metadata_Block#include), where the page authors may have subverted the environment in this way.

 User script authors are **strongly** encouraged to learn how [XPCNativeWrapper](XPCNativeWrapper)s work, and how to perform the desired function within their security context, instead of using `unsafeWindow` to break out.

unsafeWindow modified by Martz

Martz — Thu, 05 May 2016 18:23:37 -0000

--- v10
+++ v11
@@ -29,25 +29,25 @@

 ### Core

-~~~~~~
+``` js
 unsafeWindow.SomeVarInPage = "Testing";
-~~~~~~
+```

 or

-~~~~~~
+``` js
 unsafeWindow.SomeFunctionInPage("Test");
-~~~~~~
+```

 or

-~~~~~~
+``` js
 var oldFunction = unsafeWindow.SomeFunctionInPage;
 unsafeWindow.SomeFunctionInPage = function(text) {
   alert("Hijacked! Argument was " + text + ".");
   return oldFunction(text);
 };
-~~~~~~
+```

 [⬆][toTop] [⬇][toBottom] [⇧](#examples)

@@ -59,17 +59,17 @@

 Event listeners never need to be created on unsafeWindow. Rather than using

-~~~~~~
+``` js
 unsafeWindow.onclick = function(event) { /* some code */ };
-~~~~~~
+```

 use:

-~~~~~~
+``` js
 window.addEventListener("click", function(event) { /* some code */ }, false);
-~~~~~~
+```

-See also [addEventListener at MDC](https://developer.mozilla.org/docs/Web/API/EventTarget.addEventListener)
+See also [addEventListener at MDN](https://developer.mozilla.org/docs/Web/API/EventTarget.addEventListener)

 [⬆][toTop] [⬇][toBottom] [⇧](#alternatives-to-unsafewindow)

@@ -77,26 +77,26 @@

 If a user script must execute a page function, it can use the Location hack to call it safely. This involves setting location.href to a `javascript:` URL, which is like using a bookmarklet. For example:

-~~~~~~
+``` js
 location.href = "javascript:void(pageFunc(123));";
-~~~~~~
+```

 Larger blocks of code independent of the Greasemonkey context/APIs can also be executed this way:

-~~~~~~
+``` js
 location.href = "javascript:(" + function() {
   /*
     Some code here.
       Note that the Greasemonkey API is not directly accessible within this function.
   */
 } + ")();";
-~~~~~~
+```

 or a more specific example:

-~~~~~~
+``` js
 location.href = "javascript:(" + encodeURI(uneval(function() { /* some code */ })) + ")();";
-~~~~~~
+```

 This code will run in the page context without leaking the [Sandbox](Sandbox). This code is completely separate from the rest of the script scope, sometimes limiting its usefulness. For example, data cannot be returned by the function.

@@ -110,7 +110,7 @@

 #### Method 1

-~~~~~~
+``` js
 function myScript() {
   for (var x in document) {
     /* some code with x */
@@ -131,13 +131,13 @@
 script.textContent = "(" + myScript + ")();";

 document.body.appendChild(script);
-~~~~~~
+```

 [⬆][toTop] [⬇][toBottom] [⇧](#attach-script-to-page)

 #### Method 2

-~~~~~~
+``` js
 window.addEventListener(
   "DOMTitleChanged",
   function() {
@@ -164,7 +164,7 @@
 document.body.appendChild(sGetter);

 unsafeWindow.uXHR(url);
-~~~~~~
+```

 [⬆][toTop] [⬇][toBottom] [⇧](#attach-script-to-page)

@@ -172,12 +172,12 @@

 Place this code at the very beginning of the script to inject the entire script into the page using the location hack. Like [Method 1](#method-1), this will give the script access to variables on the page, but not access to Greasemonkey API methods.

-~~~~~~
+``` js
 if (typeof window.wrappedJSObject == "object") {
   location.href = "javascript:(" + encodeURI(arguments.callee.toSource()) + ")();";
   return;
 }
-~~~~~~
+```

 **Be very careful when using the `wrappedJSObject` property. It can be just as dangerous as `unsafeWindow` is.**

unsafeWindow modified by Martz

Martz — Sun, 10 Aug 2014 20:09:30 -0000

--- v9
+++ v10
@@ -2,13 +2,13 @@
 [toBottom]: #site-footer "Bottom"
 ## Description

-This [API](Greasemonkey_Manual:API) object allows a [User_script] to access "custom" properties--variable and functions defined in the page--set by the web page. The `unsafeWindow` object is shorthand for `window.wrappedJSObject`. It is the raw window object inside the XPCNativeWrapper provided by the Greasemonkey [Sandbox].
+This [API](Greasemonkey_Manual:API) object allows a [User script](User_script) to access "custom" properties--variable and functions defined in the page--set by the web page. The `unsafeWindow` object is shorthand for `window.wrappedJSObject`. It is the raw window object inside the XPCNativeWrapper provided by the Greasemonkey [Sandbox](Sandbox).

 * **USE OF UNSAFEWINDOW IS INSECURE, AND IT SHOULD BE AVOIDED WHENEVER POSSIBLE.**

-`unsafeWindow` bypasses the Greasemonkey [XPCNativeWrapper]-based [Security] model, which exists to make sure that malicious web pages cannot alter objects in such a way as to make greasemonkey scripts _(which execute with more privileges than ordinary JavaScript running in a web page)_ do things that their authors or users did not intend. User scripts should therefore avoid calling or in any other way depending on any properties on `unsafeWindow` - especially if they are executed for arbitrary web pages, such as those with [@include](Metadata_Block#include), where the page authors may have subverted the environment in this way.
+`unsafeWindow` bypasses the Greasemonkey XPCNativeWrapper-based [Security](Security) model, which exists to make sure that malicious web pages cannot alter objects in such a way as to make greasemonkey scripts *(which execute with more privileges than ordinary JavaScript running in a web page)* do things that their authors or users did not intend. User scripts should therefore avoid calling or in any other way depending on any properties on `unsafeWindow` - especially if they are executed for arbitrary web pages, such as those with [@include](Metadata_Block#include), where the page authors may have subverted the environment in this way.

-[User_script] authors are **strongly** encouraged to learn how [XPCNativeWrapper]s work, and how to perform the desired function within their security context, instead of using `unsafeWindow` to break out.
+User script authors are **strongly** encouraged to learn how [XPCNativeWrapper](XPCNativeWrapper)s work, and how to perform the desired function within their security context, instead of using `unsafeWindow` to break out.

 [⬆][toTop] [⬇][toBottom] | [Examples](#examples) | [Alternatives to unsafeWindow](#alternatives-to-unsafewindow) | [Notes](#notes)

@@ -49,8 +49,6 @@
 };
 ~~~~~~

-* For issues with [GM_getValue], [GM_setValue] and [GM_xmlhttpRequest], see see [0.7.20080121.0_compatibility].
-
 [⬆][toTop] [⬇][toBottom] [⇧](#examples)

 ## Alternatives to unsafeWindow
@@ -71,13 +69,13 @@
 window.addEventListener("click", function(event) { /* some code */ }, false);
 ~~~~~~

-See also [addEventListener at MDC](http://developer.mozilla.org/docs/DOM:element.addEventListener)
+See also [addEventListener at MDC](https://developer.mozilla.org/docs/Web/API/EventTarget.addEventListener)

 [⬆][toTop] [⬇][toBottom] [⇧](#alternatives-to-unsafewindow)

 ### Functions defined in the page

-If a user script must execute a page function, it can use the **[Location_hack]** to call it safely. This involves setting location.href to a `javascript:` URL, which is like using a bookmarklet. For example:
+If a user script must execute a page function, it can use the Location hack to call it safely. This involves setting location.href to a `javascript:` URL, which is like using a bookmarklet. For example:

 ~~~~~~
 location.href = "javascript:void(pageFunc(123));";
@@ -100,7 +98,7 @@
 location.href = "javascript:(" + encodeURI(uneval(function() { /* some code */ })) + ")();";
 ~~~~~~

-This code will run in the page context without leaking the [Sandbox]. This code is completely separate from the rest of the script scope, sometimes limiting its usefulness. For example, data cannot be returned by the function.
+This code will run in the page context without leaking the [Sandbox](Sandbox). This code is completely separate from the rest of the script scope, sometimes limiting its usefulness. For example, data cannot be returned by the function.

 Another drawback is that this technique is rather ugly. Still, it is preferred over `unsafeWindow`.

@@ -172,7 +170,7 @@

 #### Method 3

-Place this code at the very beginning of the script to inject the entire script into the page using the location hack. Like [Method 1](#Method_1), this will give the script access to variables on the page, but not access to Greasemonkey API methods.
+Place this code at the very beginning of the script to inject the entire script into the page using the location hack. Like [Method 1](#method-1), this will give the script access to variables on the page, but not access to Greasemonkey API methods.

 ~~~~~~
 if (typeof window.wrappedJSObject == "object") {

unsafeWindow modified by Martz

Martz — Sat, 28 Jun 2014 09:44:07 -0000

--- v8
+++ v9
@@ -10,7 +10,7 @@

 [User_script] authors are **strongly** encouraged to learn how [XPCNativeWrapper]s work, and how to perform the desired function within their security context, instead of using `unsafeWindow` to break out.

-[⬆][toTop] [⬇][toBottom] | [Examples](#examples) | [Alternatives to unsafeWindow](#alternatives-to-unsafewindow) | [See Also](#see-also) | [Notes](#notes)
+[⬆][toTop] [⬇][toBottom] | [Examples](#examples) | [Alternatives to unsafeWindow](#alternatives-to-unsafewindow) | [Notes](#notes)

 ## Syntax

@@ -120,11 +120,13 @@
   /* some code */
 }

-/*
-  Attaches script into page body and executes it via an anonymous function call.
-    NOTES:
-      Script can therefore reference variables on the page, but likewise cannot use Greasemonkey API methods
-*/
+/**
+ * Attaches script into page body and executes it via an anonymous function call.
+ *
+ * NOTES: Script can therefore reference variables on the page, but likewise
+ * cannot use Greasemonkey API methods
+ *
+ */

 var script = document.createElement("script");
 script.type = "application/javascript";

unsafeWindow modified by Martz

Martz — Sat, 28 Jun 2014 09:39:59 -0000

--- v7
+++ v8
@@ -10,7 +10,7 @@

 [User_script] authors are **strongly** encouraged to learn how [XPCNativeWrapper]s work, and how to perform the desired function within their security context, instead of using `unsafeWindow` to break out.

-[⬆][toTop] [⬇][toBottom] | [Examples](#examples) | [Alternatives to unsafeWindow](#alternatives-to-unsafewindow) | [See Also](#see-also)| [Notes](#notes)
+[⬆][toTop] [⬇][toBottom] | [Examples](#examples) | [Alternatives to unsafeWindow](#alternatives-to-unsafewindow) | [See Also](#see-also) | [Notes](#notes)

 ## Syntax

unsafeWindow modified by Martz

Martz — Sat, 28 Jun 2014 09:39:12 -0000

--- v6
+++ v7
@@ -1,263 +1,191 @@
-{{DISPLAYTITLE:unsafeWindow}}{{Greasemonkey Manual TOC}} 
-
+[toTop]: #content_base "Top"
+[toBottom]: #site-footer "Bottom"
 ## Description

-This [API](Greasemonkey_Manual:API) object allows a [User_script] to access "custom" properties--variable and functions defined in the page--set by the web page. The 
-    
-    unsafeWindow
+This [API](Greasemonkey_Manual:API) object allows a [User_script] to access "custom" properties--variable and functions defined in the page--set by the web page. The `unsafeWindow` object is shorthand for `window.wrappedJSObject`. It is the raw window object inside the XPCNativeWrapper provided by the Greasemonkey [Sandbox].

-object is shorthand for 
-    
-    window.wrappedJSObject
+* **USE OF UNSAFEWINDOW IS INSECURE, AND IT SHOULD BE AVOIDED WHENEVER POSSIBLE.**

-. It is the raw window object inside the XPCNativeWrapper provided by the Greasemonkey [Sandbox]. 
+`unsafeWindow` bypasses the Greasemonkey [XPCNativeWrapper]-based [Security] model, which exists to make sure that malicious web pages cannot alter objects in such a way as to make greasemonkey scripts _(which execute with more privileges than ordinary JavaScript running in a web page)_ do things that their authors or users did not intend. User scripts should therefore avoid calling or in any other way depending on any properties on `unsafeWindow` - especially if they are executed for arbitrary web pages, such as those with [@include](Metadata_Block#include), where the page authors may have subverted the environment in this way.

-    
+[User_script] authors are **strongly** encouraged to learn how [XPCNativeWrapper]s work, and how to perform the desired function within their security context, instead of using `unsafeWindow` to break out.

-  * **USE OF UNSAFEWINDOW IS INSECURE, AND IT SHOULD BE AVOIDED WHENEVER POSSIBLE.**
-    
-    unsafeWindow
-
-bypasses the [Greasemonkey] [XPCNativeWrapper]-based [Security] model, which exists to make sure that malicious web pages cannot alter objects in such a way as to make greasemonkey scripts _(which execute with more privileges than ordinary JavaScript running in a web page)_ do things that their authors or users did not intend. User scripts should therefore avoid calling or in any other way depending on any properties on 
-    
-    unsafeWindow
-
-\- especially if they are executed for arbitrary web pages, such as those with 
-    
-    @[include](Include_and_exclude_rules) *
-
-, where the page authors may have subverted the environment in this way. 
-
-[User_script] authors are **strongly** encouraged to learn how [XPCNativeWrapper]s work, and how to perform the desired function within their security context, instead of using unsafeWindow to break out. 
-
-{{toFirstLast}} | [Examples](#Examples) | [Alternatives to unsafeWindow](#Alternatives_to_unsafeWindow) | [See Also](#See_Also)| [Notes](#Notes) 
+[⬆][toTop] [⬇][toBottom] | [Examples](#examples) | [Alternatives to unsafeWindow](#alternatives-to-unsafewindow) | [See Also](#see-also)| [Notes](#notes)

 ## Syntax

 **unsafeWindow**

-    Value: Object 
-    Returns: Variant 
-    Compatibility: [Greasemonkey 0.5b+](Version_history#0.5_beta) 
-    Access: [@grant](Metadata_Block#.40grant_) 
+Value: Object
+Returns: Variant
+Compatibility: [Greasemonkey 0.5b+](Version_history#0.5_beta)
+Access: [@grant](Metadata_Block#grant)

-{{toFirstLast}} 
+[⬆][toTop] [⬇][toBottom]

 ## Examples

-{{toFirstLast}} 
+[⬆][toTop] [⬇][toBottom]

 ### Core

-{{Core samp |1=
-    
-    
-    unsafeWindow.SomeVarInPage = "Testing";
-    
+~~~~~~
+unsafeWindow.SomeVarInPage = "Testing";
+~~~~~~

-}} {{Core samp |1=
-    
-    
-    unsafeWindow.SomeFunctionInPage("Test");
-    
+or

-}} {{Core samp |1=
-    
-    
-    var oldFunction = unsafeWindow.SomeFunctionInPage;
-    unsafeWindow.SomeFunctionInPage = function(text) {
-      alert('Hijacked! Argument was ' + text + '.');
-      return oldFunction(text);
-    };
-    
+~~~~~~
+unsafeWindow.SomeFunctionInPage("Test");
+~~~~~~

-}} 
+or

-    For issues with [GM_getValue], [GM_setValue] and [GM_xmlhttpRequest], see see [0.7.20080121.0_compatibility]. 
+~~~~~~
+var oldFunction = unsafeWindow.SomeFunctionInPage;
+unsafeWindow.SomeFunctionInPage = function(text) {
+  alert("Hijacked! Argument was " + text + ".");
+  return oldFunction(text);
+};
+~~~~~~

-{{toFirstLast}} {{toPrev|2=Examples}} 
+* For issues with [GM_getValue], [GM_setValue] and [GM_xmlhttpRequest], see see [0.7.20080121.0_compatibility].
+
+[⬆][toTop] [⬇][toBottom] [⇧](#examples)

 ## Alternatives to unsafeWindow

-{{toFirstLast}} | [Events](#Events) | [Functions defined in the page](#Functions_defined_in_the_page) | [ Attach script to page](#Attach_script_to_page_) 
+[⬆][toTop] [⬇][toBottom] | [Events](#events) | [Functions defined in the page](#functions-defined-in-the-page) | [Attach script to page](#attach-script-to-page)

 ### Events

-Event listeners never need to be created on unsafeWindow. Rather than using 
+Event listeners never need to be created on unsafeWindow. Rather than using

-{{Bad samp |1=
-    
-    unsafeWindow.onclick = function(event) { /* some code */ };
+~~~~~~
+unsafeWindow.onclick = function(event) { /* some code */ };
+~~~~~~

-}} 
+use:

-use: 
+~~~~~~
+window.addEventListener("click", function(event) { /* some code */ }, false);
+~~~~~~

-{{Good samp |1=
-    
-    window.addEventListener("click", function(event) { /* some code */ }, false);
+See also [addEventListener at MDC](http://developer.mozilla.org/docs/DOM:element.addEventListener)

-}} 
-
-See also [addEventListener at MDC](http://developer.mozilla.org/en/docs/DOM:element.addEventListener)
-
-{{toFirstLast}} {{toPrev|2=Alternatives to unsafeWindow}} 
+[⬆][toTop] [⬇][toBottom] [⇧](#alternatives-to-unsafewindow)

 ### Functions defined in the page

-If a user script must execute a page function, it can use the **[Location_hack]** to call it safely. This involves setting location.href to a 
-    
-    javascript:
+If a user script must execute a page function, it can use the **[Location_hack]** to call it safely. This involves setting location.href to a `javascript:` URL, which is like using a bookmarklet. For example:

-URL, which is like using a bookmarklet. For example: {{Fair samp |why=WARNING: Cross-platform Location hack failure |1=
-    
-    location.href = "javascript:void(pageFunc(123));";
+~~~~~~
+location.href = "javascript:void(pageFunc(123));";
+~~~~~~

-}} 
+Larger blocks of code independent of the Greasemonkey context/APIs can also be executed this way:

-Larger blocks of code independent of the Greasemonkey context/APIs can also be executed this way: 
+~~~~~~
+location.href = "javascript:(" + function() {
+  /*
+    Some code here.
+      Note that the Greasemonkey API is not directly accessible within this function.
+  */
+} + ")();";
+~~~~~~

-{{Fair samp |why=WARNING: Cross-platform Location hack failure |1=
-    
-    location.href = "javascript:(" + function() {
-      /*
-        Some code here.
-          Note that the Greasemonkey API is not directly accessible within this function.
-      */
-    } + ")();";
+or a more specific example:

-}} 
+~~~~~~
+location.href = "javascript:(" + encodeURI(uneval(function() { /* some code */ })) + ")();";
+~~~~~~

-or a more specific example: 
+This code will run in the page context without leaking the [Sandbox]. This code is completely separate from the rest of the script scope, sometimes limiting its usefulness. For example, data cannot be returned by the function.

-{{Fair samp |why=WARNING: Cross-platform Location hack failure |1=
-    
-    location.href = "javascript:(" + encodeURI(uneval(function() { /* some code */ })) + ")();";
+Another drawback is that this technique is rather ugly. Still, it is preferred over `unsafeWindow`.

-}} 
-
-This code will run in the page context without leaking the [Sandbox]. This code is completely separate from the rest of the script scope, sometimes limiting its usefulness. For example, data cannot be returned by the function. 
-
-Another drawback is that this technique is rather ugly. Still, it is preferred over 
-    
-    unsafeWindow
-
-. 
-
-{{toFirstLast}} {{toPrev|2=Alternatives to unsafeWindow}} 
+[⬆][toTop] [⬇][toBottom] [⇧](#alternatives-to-unsafewindow)

 ### Attach script to page

-{{toFirstLast}} {{toPrev|2=Alternatives to unsafeWindow}} | [Method 1](#Method_1) | [Method 2](#Method_2) | [Method 3](#Method_3) 
+[⬆][toTop] [⬇][toBottom] [⇧](#alternatives-to-unsafewindow) | [Method 1](#method-1) | [Method 2](#method-2) | [Method 3](#method-3)

 #### Method 1

-{{Good samp |1=
-    
-    
-    function myScript() {
-      for (var x in document) {
-        /* some code with x */
-      }
-      /* some code */
-    }
-    
-    /*
-      Attaches script into page body and executes it via an anonymous function call.
-        NOTES:
-          Script can therefore reference variables on the page, but likewise cannot use Greasemonkey API methods
-    */
-    
-    var script = document.createElement("script");
-    script.type = "application/javascript";
-    script.textContent = "(" + myScript + ")();";
-    
-    document.body.appendChild(script);
-    
+~~~~~~
+function myScript() {
+  for (var x in document) {
+    /* some code with x */
+  }
+  /* some code */
+}

-}} 
+/*
+  Attaches script into page body and executes it via an anonymous function call.
+    NOTES:
+      Script can therefore reference variables on the page, but likewise cannot use Greasemonkey API methods
+*/

-{{toFirstLast}} {{toPrev|2=Attach script to page}} 
+var script = document.createElement("script");
+script.type = "application/javascript";
+script.textContent = "(" + myScript + ")();";
+
+document.body.appendChild(script);
+~~~~~~
+
+[⬆][toTop] [⬇][toBottom] [⇧](#attach-script-to-page)

 #### Method 2

-{{Good samp |1=
-    
-    
-    window.addEventListener(
-      "DOMTitleChanged",
-      function() {
-        var redirectURL = window.name;
-      },
-      false
-    );
-    
-    var sGetter = document.createElement("script");
-    sGetter.type = "application/javascript";
-    sGetter.textContent =
-        "function uXHR(url) {"
-      + "  var xhr = new XMLHttpRequest();"
-      + "  xhr.onreadystatechange = function() { "
-      + "    if (xhr.status == 301 || xhr.status == 302) {"
-      + "      window.name = xhr.getResponseHeader('Location');"
-      + "      document.title = document.title;"
-      + "    }"
-      + "  };"
-      + "  xhr.open('HEAD', url, true);"
-      + "  xhr.send(null);"
-      + "}";
-    
-    document.body.appendChild(sGetter);
-    
-    unsafeWindow.uXHR(url);
-    
+~~~~~~
+window.addEventListener(
+  "DOMTitleChanged",
+  function() {
+    var redirectURL = window.name;
+  },
+  false
+);

-}} 
+var sGetter = document.createElement("script");
+sGetter.type = "application/javascript";
+sGetter.textContent =
+    "function uXHR(url) {"
+  + "  var xhr = new XMLHttpRequest();"
+  + "  xhr.onreadystatechange = function() { "
+  + "    if (xhr.status == 301 || xhr.status == 302) {"
+  + "      window.name = xhr.getResponseHeader('Location');"
+  + "      document.title = document.title;"
+  + "    }"
+  + "  };"
+  + "  xhr.open('HEAD', url, true);"
+  + "  xhr.send(null);"
+  + "}";

-{{toFirstLast}} {{toPrev|2=Attach script to page}} 
+document.body.appendChild(sGetter);
+
+unsafeWindow.uXHR(url);
+~~~~~~
+
+[⬆][toTop] [⬇][toBottom] [⇧](#attach-script-to-page)

 #### Method 3

-Place this code at the very beginning of the script to inject the entire script into the page using the location hack. Like [Method 1](#Method_1), this will give the script access to variables on the page, but not access to Greasemonkey API methods. 
+Place this code at the very beginning of the script to inject the entire script into the page using the location hack. Like [Method 1](#Method_1), this will give the script access to variables on the page, but not access to Greasemonkey API methods.

-{{Fair samp |why=WARNING: Cross-platform Location hack failure |1=
-    
-    if (typeof window.wrappedJSObject == "object") {
-      location.href = "javascript:(" + encodeURI(arguments.callee.toSource()) + ")();";
-      return;
-    }
-    
+~~~~~~
+if (typeof window.wrappedJSObject == "object") {
+  location.href = "javascript:(" + encodeURI(arguments.callee.toSource()) + ")();";
+  return;
+}
+~~~~~~

-}} **Be very careful when using the 
-    
-    wrappedJSObject

-property. It can be just as dangerous as 
-    
-    unsafeWindow
+**Be very careful when using the `wrappedJSObject` property. It can be just as dangerous as `unsafeWindow` is.**

-is.**
-
-{{toFirstLast}} {{toPrev|2=Attach script to page}} 
+[⬆][toTop] [⬇][toBottom] [⇧](#attach-script-to-page)

 ## Notes

-BUG: In Firefox 3.0.x the 
-    
-    prototype
+BUG: In Firefox 3.0.x the `prototype` field will always be `undefined` for objects accessed through `unsafeWindow`. [Method 1](#method-1) can be used as a workaround for this problem.

-field will always be 
-    
-    undefined
-
-for objects accessed through 
-    
-    unsafeWindow
-
-. [Method 1](#Method_1) can be used as a workaround for this problem. 
-
-{{toFirstLast}} 
-
-{{Greasemonkey Manual TOC}}
-
-[U](Category:API_Reference) [Category:Scripting_context] [Category:Security] 
+[⬆][toTop] [⬇][toBottom]

unsafeWindow modified by Martz

Martz — Sat, 28 Jun 2014 09:21:19 -0000

UnsafeWindow modified by Martz

Martz — Fri, 27 Jun 2014 23:42:22 -0000

--- v4
+++ v5
@@ -39,6 +39,7 @@
     Value: Object 
     Returns: Variant 
     Compatibility: [Greasemonkey 0.5b+](Version_history#0.5_beta) 
+    Access: [@grant](Metadata_Block#.40grant_)

 {{toFirstLast}}