Sunday, August 19, 2007

Enterprise Greasemonkey: Solving the Greasemonkey Script Versioning Problem

As I have covered in previous blogs, Greasemonkey is a powerful client-side tool for augmenting web sites or creating mashups. It consists of a Firefox plugin coupled with scripts that are written and installed to modify web pages as they return from a web server. When this tool is brought into the enterprise, IT must sort out issues like security and deployment. I covered security in my last post, and in this installment I will look at how IT can solve deployment and versioning issues for Greasemonkey scripts.

NOTE: this blog entry was originally posted August 19th, 2007 on my previous blogging system (dev2dev.bea.com). Comments on the old blog were not transferred.

This is part 5 of a series of blog entries on Greasemonkey mashups.

The Need for Greasemonkey Script Deployment and Versioning

For this blog entry, imagine a web application in the enterprise with these characteristics:

  • It is a closed source packaged application, purchased from an external vendor.
  • It is used by a modest sized group of users, all of which are comfortable with computers and web browsing
  • There are a couple of missing features that dramatically hurt productivity
  • Those features can be easily woven into the application using a Greasemonkey script

Now, any one of those affected users could write the Greasemonkey script without involving IT. This script could then be passed around via email or a shared drive amongst colleagues. But there are few problems with this ad hoc approach to Greasemonkey:

  • As the script evolves, distribution and version management of the script will be difficult.
  • As new users are introduced to the web application, there is no formal process for getting them going with the script.
  • GM scripts are like .exe's - they can be host to malicious code. Unmanaged distribution could open the door for a hacker.
  • It is IT's mission to be the solution provider - IT should provide the Greasemonkey script.

Clearly, while IT can let the user community fend for themselves on this project, it would be far better for IT to own the solution. However, as always, unless IT can provide a solution quickly the users are apt to go with the ad hoc approach. Hopefully this blog entry will help you rapidly develop a sustainable solution, and add Greasemonkey to the list of official solutions for your enteprise.

Solving the Deployment and Versioning Issues for Greasemonkey Scripts

The rest of this blog entry discusses a solution that can provide manageability around Greasemonkey in the enterprise. It can solve the issues listed above, particularly the issues around deployment and versioning of a Greasemonkey script. This solution is by no means the only way to address these issues, but hopefully you will find it satisfies your requirements. The following describes characteristics of the solution:

  • It specifies a new landing page, or Gateway page, for the web application that users will hit before going into the app
  • This page can contain whatever you want, but it also has elements to help determine if the GM script is installed and up to date
  • The solution enforces the use of the Greasemonkey script (though it could be easily changed to make it only optional)
  • It provides version checking
  • It does not require any changes to the closed source web application
  • It is not foolproof - if the user avoids the Gateway page using a bookmark the enforcement is not run

The graphic below shows how the Gateway page fronts the web application to make sure the user has the proper Greasemonkey install. Ideally, the Gatekeeper page would be integrated into the web application's login page so a user could not bookmark their way around the enforcement. If the browser is not properly configured, the Gateway page obscures the Enter the Site button until the problem is corrected. Also note that the proper version of the Greasemonkey script should be located on a web server defined and managed by IT so the Gatekeeper page can direct the user to it if necessary.

greasemonkey_ver_arch

Versioning is implemented by including a div element on the Gateway page with the version number of the script that users should be using.

<div id="gm-script-ver-415" />








The Greasemonkey script looks for the div tag with it's version number. If it does not find it, it will not make the Enter the Site link visible.









 









The Solution Step by Step


















Check 1: Is the browser Firefox? If not, a message discloses the problem.








greasemonkey_demo_error_IE



























Check 2: Is Greasemonkey and the script installed? If not, the page offers the download links for both.


















greasemonkey_demo_error_GM



























Check 3: Is the Greasemonkey script the current version? If not, the page offers the download link for the latest version.









greasemonkey_demo_error_VER



























Success: The browser is properly configured. The user is allowed to continue if all checks pass.


















greasemonkey_demo_success



























Implementing the Solution








I didn't include the code in this blog but it is attached here. The code is fairly short, and so you should be able to repurpose it for your needs quickly. Also, for illustration, I have deployed an online demo.


















Online Demo









I am hoping others will provide alternative solutions - please speak up if you have built one. The solution I built is passive - it requires the user to navigate across the Gateway page. It is easy to imagine a more active solution, one that would use an XmlHttpRequest to periodically phone home to see if an updated script has been published. That type of solution would need to cache the answer, otherwise it's impact to the network could be substantial. I would think that the GM preference store could be used as a cache.












Greasemonkey Versioning on the Web:


















There are others who have talked about the versioning issue. Here are some links:









GMVC (Greasemonkey Version Control)








"The objective of this project is to create a database-driven repository of GreaseMonkey Userscripts which allows for the archiving of previous versions, the release of production versions and the limited released of alpha and beta test versions through the same site."









AllPeers Blog Entry








"A first step would be to give web authors at least the option of making their sites script-friendly. This would involve placing a special header on their webpages that can be tied to a specific version of a Greasemonkey script, like so:




<head> <meta greasemonkey:somescript.js="1.2"/> </head> "


















Jeff Barr's Blog








"At some point I could see the need for what we could call "Enterprise Greasemonkey," a tightly packaged version of Greasemonkey with a number of scripts installed and locked in to place. This would give system administrators the ability to deploy specialized versions of Firefox to users who don't need to know how to install, customize, or disable Greasemonkey scripts."


















Resources:




















Technorati Tags: ,




Saturday, August 18, 2007

Enterprise Greasemonkey: Beware of Greasemonkey's Inverted Security Model

I have been blogging about the power and usefulness of a tool called Greasemonkey. I have also explained when Greasemonkey is a good tool for use within the enterprise. But before you rush off and use it in your next IT project, you must understand an important issue with the tool. That issue specifically is Greasemonkey's security model, which was designed to protect benevolent scripts from evil websites. But from IT's point of view, the Greasemonkey security model is inverted - it trusts the wrong people. Within the enterprise, the IT hosted websites are trusted. It is the Greasemonkey scripts that may be evil. This blog entry explains the issue, and discusses some coping strategies.

NOTE: this blog entry was originally posted August 18th, 2007 on my previous blogging system (dev2dev.bea.com). Comments on the old blog were not transferred.

This is part 4 of a series of blog entries on Greasemonkey mashups.

The Power of Greasemonkey

A discussion of the Greasemonkey (GM) security model needs to start first with a discussion of the power of Greasemonkey. Greasemonkey scripts have enormous power, and so a security model is key to its design. In fact, the original version of GM got the model wrong, which led to urgent pleas to uninstall GM until the security model was fixed. The urgency of that issue was due to the danger of misuse of Greasemonkey. And that danger is directly related to GM's power and capabilities.

The first thing to understand about Greasemonkey is that it has full access to the web page. If a web page is displaying sensitive information like account numbers, Greasemonkey can see it. Therefore, a compromised Greasemonkey can do great damage by virtue of the information it can steal.

The second issue to understand is that Greasemonkey is powered by JavaScript and has access to features like event handlers. This can enable GM to snoop on anything the user is doing within the page. For example, a compromised Greasemonkey could capture user input, like the entry of a password.

Finally, Greasemonkey operates at a higher privilege level than normal JavaScript, giving it even more power. The most important capability is the ability for Greasemonkey to be immune to cross domain browser security. Normally, HTTP requests issued from JavaScript (XmlHttpRequest) can only target URLs in the same network domain (e.g. bea.com) as the parent page. This restriction was put in place to help limit (it does not totally prevent) cross site scripting (XSS) attacks. However Greasemonkey, as a plugin, is immune to this restriction. This is a most useful feature when building mashups, but it is does mean that Greasemonkey is operating with higher privileges. It can issue requests to whatever URL it wants, perhaps allowing it to send sensitive data to a malicious web server.

In summary, Greasemonkey is a powerful tool. But just as this power can be put to good use, it can also cause much damage when under the control of malicious parties. The rest of the blog describes how Greasemonkey provides protection, and why IT will have concerns about it in the enterprise.

The Greasemonkey Security Model - Trust the Scripts

Currently, Greasemonkey is a tool in use on the greater world wide web. I don't know the number of people using it, but let's speculate that at most its only a few percent of the users on the web. Let's also speculate that the people using it are fairly sophisticated computer users that know what they are doing. In this situation, we have a small community of users that probably don't attract a lot of attention from the black hats out there. Even if they did, the users have the ability to self-regulate and guard against attackers. Every script is human readable, and so users can look at every script before installing them to determine if the script is safe.

With this understanding of the use case, we can now look at the security model. The Greasemonkey security model operates with the following assumptions:

  • Trust the Greasemonkey script; the user installed it and therefore it can be trusted not to abuse the powers described above.
  • Do NOT trust the targeted web sites. Do not allow those sites any access to GM objects or APIs.

What this means is that the focus of the Greasemonkey security model is on malicious web sites. This came about because the first security model was vulnerable to such attacks. A well crafted web site could steal cookies and even files off the machine of the unsuspecting Greasemonkey user. The security model was revised in 2005, and great care has been taken to prevent web sites from hijaking the privileges of Greasemonkey to do harm. For a great article on how this was accomplished, read Mark Pilgrim's explanation of XPCNativeWrappers and how they protect GM.

gm_publicsecmodel

While attacks from malicious web sites should no longer be a problem, Greasemonkey is still vulnerable from certain kinds of attacks. Specifically, the security model does NOT have facilities for detecting or preventing malicious user scripts. Therefore, the user must be careful to only install scripts from trusted sources. This model is in use for the public web, but is it the right model for the enterprise?

The Enterprise Greasemonkey Security Model - an Inversion of Trust

Moving into the Enterprise, the angels and demons flip sides. In the enterprise, IT primarily owns the web sites. Rogue IT employees aside, these sites can be considered trusted and safe. But in this case the GM users aren't as sophisticated, and there is greater potential for them picking up malicious scripts. These are the same users that have been clicking on .EXE email attachments for years. IT cannot trust that this user community will correctly protect themselves from evil scripts.

From IT's point of view, the Greasemonkey security model is inverted - it trusts the wrong people.

gm_enterprisesecmodel

Whether this is a fatal flaw that prevents an enterprise from using Greasemonkey universally is a decision IT must own. Personally, I don't think Greasemonkey should be a part of an enterprise wide application roll-out. But I do still think it has it's place in niche solutions. The Greasemonkey Selection Framework introduced in my previous post should help guide when it is the right tool.

Admittedly, it is valid to view any sanctioned Greasemonkey use as reckless, because it could open a Pandora's box. Once users get a hold of it for authorized uses, it may lead to other unauthorized use within the enterprise. This is something for IT to bear in mind when considering if Greasemonkey is an appropriate tool. As a counterpoint, malicious attacks aren't limited to Greasemonkey scripts. .DOC and .PDF files both have been used in the past in attacks, but that has not prevented enterprise use of those technologies.

Malicious Greasemonkey - a Real World Example

To show that Greasemonkey scripts can be a real danger, take a look at this image below. It is a screen shot of the public Greasemonkey script repository, and it currently displays a big warning message. Apparently, a malicious script writer has been publishing evil scripts to the public at large.

greasemonkey_malicious_scripts

One could argue that this proves that the community approach works. Community members discovered the malicious behavior and have taken action to remedy it. But within the enterprise, would the users be able to catch such a problem?

Enterprise Solutions for the Greasemonkey Security Model

Now that you are aware of the problem, let's talk about how IT can solve the problem of the inverted security model. Unfortunately, a server side solution is not attainable. By design, a content page cannot know about or have access to the user script. Therefore a server side solution cannot prevent a malicious script from running on the page. In fact, public web sites that generate their revenue through ads have feared this problem for years. There is no way for these sites to stop the ad blocking Greasemonkey scripts.

We must look to the client for the solution. Unfortunately, Greasemonkey does not currently have a technical solution to this problem. For instance, there isn't a feature that prevents non-IT approved Greasemonkey scripts from being installed. Once the plugin is installed, the user is free to install any script, and there is no way to detect if that script has been tampered with. So if a coworker sends out an email like "Check this out, I updated the script to add a new feature", unwitting users may pick up a malicious script.

Instead, IT must rely on some coping strategies:

  • Train workers to treat Greasemonkey scripts with as much suspicion as an .EXE file
  • IT must host a read-only web site for all scripts to be published where they cannot be tampered with; do not just throw them on a file system
  • Beg the Greasemonkey developers to add a signing feature
Further Reading on the Greasemonkey Security Model

Final Greasemonkey Blog Post Coming Shortly...

The last post in this Greasemonkey series should be done soon...I will show how I implemented a deployment and versioning system for Greasemonkey scripts.

Friday, August 17, 2007

Greasemonkey in the Enterprise: When is GM the Right Tool for IT?

As I have covered in previous blogs, Greasemonkey is a powerful client-side tool for augmenting web sites or creating mashups. It consists of a Firefox plugin coupled with scripts that are written and installed to modify web pages as they return from a web server. Greasemonkey generally is a tool for techies who want to tweak their favorite sites around the web. But does Greasemonkey have a place in the toolbox of IT departments in the enterprise? My next few blog entries will work towards an answer to that question. In this installment I will introduce a framework for measuring whether Greasemonkey is a good solution for a specific enterprise project.

NOTE: this blog entry was originally posted August 17th, 2007 on my previous blogging system (dev2dev.bea.com). Comments on the old blog were not transferred.

This is part 3 of a series of blog entries on Greasemonkey mashups.

 

An Enterprise Use Case for Greasemonkey

You probably did not learn about Greasemonkey (GM) in a Computer Science class at University. When drawing up an ideal solution for delivering a web application, Greasemonkey is probably no where in sight. The truth is Greasemonkey is a pragmatic solution for real world problems when other options aren't available. It is not the cleanest solution, but it makes up for that by being effective. It will always have detractors who will dismiss it as a hack, and an evil one at that. While its shortcomings cannot be denied, it is a mistake to dismiss it.

Greasemonkey has the potential of fast tracking IT projects that would otherwise never get implemented. It can also lower the bar for IT skill sets - a junior scripter can use it to modify the most complex of web applications. I feel that Greasemonkey deserves a place in your IT toolbox, and should be an option when it is an appropriate solution.

But I will be the first to say that Greasemonkey is not for everyone, and is not for every project. Greasemonkey definately has a sweet spot. Outside of that sweet spot, you are best off looking at another solution like other mashup tools or custom development.

For a quick example of good GM use case, imagine a web application in the enterprise with these characteristics:

  • It is a closed source packaged application, purchased and installed from an external vendor by IT.
  • It is used by a modest sized group of users, all of which are comfortable with computers and web browsing
  • There are a couple of missing features that dramatically hurt productivity
  • Those features can be easily woven into the application using a Greasemonkey script

This web application would make a good candidate for augmentation with Greasemonkey. A GM script could be quickly created that would add the missing features without needing to acquire the source code for the application. The deployment of the script would be relatively simple - the user population is modest in size and are technically competent. IT could be a hero by providing a quick solution to an expensive problem.

But what makes this use case a good fit for Greasemonkey? What other applications are good candidates for a Greasemonkey mashup/augmentation? What guidelines should you use when deciding if Greasemonkey is right for a given project? This blog will answer these questions.

Greasemonkey Selection Framework

This section provides a framework for evaluating whether Greasemonkey is a good fit for an enterprise project. Like any software selection process, you must consider many factors before choosing a best fit solution. You cannot base your decision on a single factor; you must sum the overall suitability against the project requirements. The list below enumerates a number of factors to look at before making your choice. For each factor, I explain when Greasemonkey is best suited.

 greasemonkey_logo Factor: Do you have access to the source code of the web application?
Description: IT brings in many packaged applications from external vendors. In such cases, IT may not have access to any source code, or only a partial set (like the HTML files). For applications home grown within IT, this is not an issue as the source code is available.
Greasemonkey Fit: When the source code is available, it may be easier to just update the original application. Greasemonkey is indicated more when the source code is unavailable.

 greasemonkey_logoFactor: The application is home grown and the source code is available. But updating the application is very risky?
Description: Even if the source code for an application is available, it may not be cost effective to update the application directly. Perhaps all of the original developers are gone, and there is little documentation on how the site was built. Or perhaps the current staff is unfamiliar with the technology that was used to implement the site. If the code base is complex, it may be risky to make any modification to the source code.
Greasemonkey Fit: Greasemonkey can be a safer solution for adding new features to web applications that are risky to touch. The Greasemonkey script is externalized from the web application, and so the new development is clearly separated from the legacy application.

 greasemonkey_logoFactor: How critical is the feature to be added?
Description: Is the feature a productivity enhancement, or is the application as-is no longer valid without the update? An example of the latter would be a feature related to a compliance project. In order for the legacy application to update company financial data, a new "explanation" field needs to be added to a web form for auditing purposes. Users must not submit this form without the added field.
Greasemonkey Fit: It would be difficult to enforce that a user have the Greasemonkey installed and up to date (although the last blog entry in this series will offer a possible solution for this). Therefore, if an application is not valid without the new feature, Greasemonkey may not be the right solution for implementing that feature. For optional features such as productivity enhancements, Greasemonkey is a great solution.

 greasemonkey_logoFactor: Is Firefox certified for use in the enterprise, and does it work with the target application?
Description: This factor is obvious, but be careful not to miss this in your software selection. Greasemonkey requires Firefox (there have been attempts to port to IE (gm4ie, GreasemonkIE), but are they complete/solid?). Also, some web applications may not work correctly with Firefox.
Greasemonkey Fit: If your enterprise does not support users on Firefox, Greasemonkey is not an available solution. Also, if the target web application does not work well with Firefox, Greasemonkey is not a great fit for the project.

 greasemonkey_logoFactor: To what degree are the target users computer literate?
Description: Within the enterprise, there is a broad range of computers skills amongst the employees. Greasemonkey does require users to be able to follow directions on installing Firefox, the Greasemonkey plugin and the required scripts.
Greasemonkey Fit: The more computer literate the user base, the better for Greasemonkey. While installing plugins and scripts seems like a no-brainer for anyone that would be reading this blog, it is a true obstacle for many within the enterprise.

 greasemonkey_logoFactor: What size is the user population that needs the new feature?
Description: The appeal of web applications is in their ease of deployment. IT need only manage the application on a few server machines in the data center. Updates are efficiently deployed. Client side solutions are generally more expensive to deploy, as each client needs to be updated with each new version.
Greasemonkey Fit: The cost of deploying a Greasemonkey script to a small user population is likely modest. On the other hand, deploying a new version of a Greasemonkey script to a huge user population is an expensive proposition, particularly when computer literacy is an issue (see above). Greasemonkey is best when the user population is small.

 greasemonkey_logoFactor: Is the application exposed to the public internet?
Description: Many enterprise applications are available to a closed audience of employees and partners. But some applications are also exposed out to customers and the general public on the internet.
Greasemonkey Fit: Because Greasemonkey requires Firefox, the GM plugin, and the proper user scripts installed, Greasemonkey is a good solution when the user base is well known and constrained. Otherwise support costs and customer complaints will be high ("Hello, Avitek Industries, how may I help you?"; "Your website says I need Firefox. What is a Firefox?").

 greasemonkey_logoFactor: How often is the page structure in the web application changing?
Description: Regardless of who is changing the web application (IT, or the ISV if it is a packaged application), every update has the potential of breaking existing Greasemonkey scripts. Minor changes to the content will probably be safe, but bigger changes to the page templates will almost certainly cause problems.
Greasemonkey Fit: Greasemonkey works best if the structure of the pages within the target web application is not changing substantially.

 greasemonkey_logoFactor: Does the application manage or expose sensitive information?
Description: Some enterprise web applications are low security risks. The site that hosts a monthly employee newsletter probably is not much of a concern from a security point of view. A payroll system is quite the opposite; the consequence of a security breach is severe.
Greasemonkey Fit: My next blog entry in this series will discuss the Greasemonkey security model and why it is not a great fit for the enterprise. Based on that analysis, Greasemonkey is not a good choice for adding features to highly sensitive enterprise web applications. Further, some IT Managers may feel GM is too risky to allow at all. More to come in the next post...

 greasemonkey_logoFactor: Does the new feature require many changes to the existing web application?
Description: Javascript can update the DOM of an HTML page quite easily. But for each update on a page, there is code involved. Writing raw HTML (in an .html file, a JSP/ASP file, etc) is far easier than a similar effort in JavaScript code.
Greasemonkey Fit: Greasemonkey is a great fit for features that can be implemented with a few snips to the target HTML. As the number of distinct changes to a page increases, the suitability of Greasemonkey decreases.

 greasemonkey_logoFactor: Does the target web application already have JavaScript code that mutates the page?
Description: The web application may have JavaScript code that modifies the page structure. This may be in support of Ajax capabilities, or just the way the initial page load was implemented. A Greasemonkey script runs before any page defined JavaScript runs. This may or may not be a good thing.
Greasemonkey Fit: Implementing a feature with Greasemonkey may be difficult if the page is already mutating itself with JavaScript.

 greasemonkey_logoFactor: Does the feature require communication with a server in a different network domain than the web application?
Description: Browser based programmatic requests initiated from JavaScript (XmlHttpRequests) are restricted in their reach - they must not cross a network domain (e.g. bea.com). This is browser security, and this is generally good. But if you are adding a mashup feature to the web application, this would normally prevent the feature from being implemented in the browser. However, Greasemonkey scripts are not subject to this limitation, and can issue an XmlHttpRequest to any network domain.
Greasemonkey Fit: Greasemonkey is a good fit when you wish to implement the feature in the browser but need to connect to a different network domain.

Favorable Enterprise Greasemonkey References

To see how others have used Greasemonkey on enterprise projects, or for opinions on how Greasemonkey can add value to the Enterprise, consult these links:

Greasemonkey Improves Productivity - this company uses Greasemonkey to speed up enterprise form entry

Enterprise Greasemonkey is Inevitable - "...sooner rather than later we're going to see GM within the enterprise - if only b/c they have the potential to take some of the load off of beleaguered, shortstaffed IT staffs."

Firefox in the Enterprise Working Group - focuses on a larger issue than just Greasemonkey, but this expert group is looking at some of the issues noted above.

Using Greasemonkey to Enhance Auditing - this script adds time logging capabilities to JIRA.

Anti Enterprise Greasemonkey References

And the opposing view. There are those who think IT should stay well away from Greasemonkey:

Greasemonkey Primes Firefox For Embarrassment - this is an article you have to pay good money to read. Here is an excerpt from the abstract: "But IT managers beware: Greasemonkey will cause you nothing but headaches..."

[Greasemonkey] is Evil - "What's evil is the idea you mention that we'll end up making sophisticated infrastructure like automated script updaters in an attempt to turn a quick-and-dirty hack into a robust solution."

The Story Continues...

My next blog entry will discuss the Greasemonkey security model, and why IT will see it as "inverted" from what you would want.

Technorati Tags: ,