Failed to get remote content: Invalid URL

[m-thomson]

I've got my userscripts configured to work across browsers (I use Safari for personal stuff and Chrome+TamperMonkey for WebDev). To do this I have a local webserver to serve the files directly. The extension doesn't like this arrangement for some reason. If I try to add the remote http://localhost:2400/userscript/disable-fixed-elements.js the extension replies with "Failed to get remote content".

When I fetch that same URL using curl it seems to be served properly (unless I'm missing something):

curl -v http://localhost:2400/userscript/disable-fixed-elements.js      
*   Trying 127.0.0.1:2400...
* Connected to localhost (127.0.0.1) port 2400 (#0)
> GET /userscript/disable-fixed-elements.js HTTP/1.1
> Host: localhost:2400
> User-Agent: curl/7.88.1
> Accept: */*
> 
< HTTP/1.1 200 OK
< Accept-Ranges: bytes
< Content-Length: 743
< Content-Type: application/javascript
< Etag: "ryigw3kn"
< Last-Modified: Fri, 28 Jul 2023 14:43:15 GMT
< Server: Caddy
< Date: Fri, 28 Jul 2023 14:55:25 GMT
< 
// ==UserScript==
// @name         Disable fixed elements
// @namespace    http://tampermonkey.net/
// @version      0.1
// @description  Hide any fixed css elements
// @author       You
// @icon         data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==
// @grant        none
// @match        *://*/*
// @run-at       context-menu
// ==/UserScript==

(function () {
    'use strict';

    function disableFixed() {
        var i, elements = document.querySelectorAll('body *');
        for (i = 0; i < elements.length; i++) {
            if (getComputedStyle(elements[i]).position === 'fixed') {
                elements[i].parentNode.removeChild(elements[i]);
            }
        }
    }

    disableFixed();
})();

Secondly, theres a different but related issue.

I have a tiny PHP script which can serve the JS files. This script simply replaces the @Version number with a file's timestamp so I don't need to worry about forgetting to change it manually. (In TamperMonkey, scripts won't update unless the @Version is incremented - I'm not sure if this is also true about this extension).

To do this I can retrieve the userscript with URLs of the form: http://localhost:2400/userscript/?file=disable-fixed-elements.js. In that case, the extension throws an error about it being an invalid URL (I'm, going to take a guess that it's because of the ? perhaps?).

I know that the URL works. Here's the output with Curl:

curl -v "http://localhost:2400/userscript/?file=disable-fixed-elements.js"
*   Trying 127.0.0.1:2400...
* Connected to localhost (127.0.0.1) port 2400 (#0)
> GET /userscript/?file=disable-fixed-elements.js HTTP/1.1
> Host: localhost:2400
> User-Agent: curl/7.88.1
> Accept: */*
> 
< HTTP/1.1 200 OK
< Cache-Control: no-store, no-cache, must-revalidate
< Cache-Control: post-check=0, pre-check=0
< Content-Type: application/javascript
< Expires: Sat, 26 Jul 1997 05:00:00 GMT
< Last-Modified: Fri, 28 Jul 2023 14:57:07 GMT
< Pragma: no-cache
< Server: Caddy
< X-Powered-By: PHP/8.2.8
< Date: Fri, 28 Jul 2023 14:57:07 GMT
< Content-Length: 750
< 
// ==UserScript==
// @name         Disable fixed elements
// @namespace    http://tampermonkey.net/
// @version      1690555395
// @description  Hide any fixed css elements
// @author       You
// @icon         data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==
// @grant        none
// @match        *://*/*
// @run-at       context-menu
// ==/UserScript==

(function () {
    'use strict';

    function disableFixed() {
        var i, elements = document.querySelectorAll('body *');
        for (i = 0; i < elements.length; i++) {
            if (getComputedStyle(elements[i]).position === 'fixed') {
                elements[i].parentNode.removeChild(elements[i]);
            }
        }
    }

    disableFixed();
})();
* Connection #0 to host localhost left intact

NOTE: I realize this extension doesn't support @run-at context-menu but this was just an easy example to paste here. The point is that in both cases, the extension can't even retrieve the script.

Thanks for an awesome extension. I'm so glad I don't have to use TamperMonkey on Safari any more.

[m-thomson]

It looks like I was wrong about @run-at context-menu not being supported. That's awesome.

You might want to update the Readme to mention this.

[ACTCD]

For the first question, the http protocol is not currently allowed due to the check, replacing it with the https service should work. But maybe we can consider allowing native http requests.

For the second question, we only support user script URL addresses where path ends with .user.js instead of query parameters.

For the question about @run-at context-menu, this currently just works, but is not a perfect implementation, and we plan to refactor this feature in the future. #453

[m-thomson]

Thanks, I got it working the first way using https.

Is there a reason query params aren't supported in the second case?

[ACTCD]

I'm not sure, but that provides certainty and security to some extent?

We might not normally want user script to be dynamically generated.

In any case, you can still do it with something like address rewrite rules.

[m-thomson]

By the same token a malicious actor could also use rewrite rules. I don't think this restriction does anything at all to help security.

But for now, I guess a rewrite rule will fix my issue.

Thanks.