Tampermonkey®
by Jan Biniok
Table of Contents Previous entry (meta:run_in) Next entry (meta:tag)
@sandbox allows Tampermonkey to decide where the userscript is injected:
MAIN_WORLD - the pageISOLATED_WORLD - the extension's content scriptUSERSCRIPT_WORLD - a special context created for userscriptsBut instead of specifying an environment, the userscript can express what exactly it needs access to. @sandbox supports three possible arguments:
raw
"Raw" access means that a script for compatibility reasons always needs to run in page context, the MAIN_WORLD.
At the moment this mode is the default if @sandbox is omitted.
If injection into the MAIN_WORLD is not possible (e.g. because of a CSP) the userscript will be injected into other (enabled) sandboxes according to the order of this list.
JavaScript
"JavaScript" access mode means that this script needs access to unsafeWindow.
At Firefox a special context, the USERSCRIPT_WORLD, is created which also bypasses existing CSPs. It however, might create new issues since now cloneInto and exportFunction are necessary to share objects with the page.
raw mode is used as fallback at other browsers.
DOM
Use this access mode if the script only needs DOM and no direct unsafeWindow access.
If enabled these scripts are executed inside the extension context, the ISOLATED_WORLD, or at any other enabled context otherwise, because they all grant DOM access.
// @sandbox JavaScript