[Feature] 限制原生 fetch / XHR / Restrict Native fetch / XHR #1142
Description
限制原生 fetch / XHR
Restrict Native fetch / XHR
功能说明(Feature Description)
目前在ScriptCat中,@connect 只能限制 GM_xhr。
但恶意脚本仍然可以直接使用原生 fetch / XMLHttpRequest,把用户的 key、token 等敏感信息上传到作者自己的服务器。
希望在脚本层或后台层面:
- 拦截原生
fetch/xhr请求 - 对可疑的请求进行禁止或重定向
- 防止脚本私自外传用户数据
- 记录所有 UserScript 脚本执行的 fetch / xhr
In ScriptCat, @connect only restricts GM_xhr.
However, malicious scripts can still use native fetch or XMLHttpRequest to send users’ keys, tokens, or other sensitive data to the author’s own server.
It would be useful to:
- Intercept native
fetch/xhrrequests - Block or redirect suspicious requests
- Prevent scripts from silently exfiltrating user data
- Record all fetch / xhr performed in the UserScript
使用场景(Use Case)
-
防止恶意脚本通过原生网络接口偷数据
-
提高脚本和用户的安全性
-
Prevent malicious scripts from stealing data via native network APIs
-
Improve overall script and user security