https://mokurin000.github.io
•
This is a web feed, also known as an Atom feed. Subscribe by copying the URL from the address bar into your newsreader. Visit About Feeds to learn more and get started. It's free.
Visit website
Recent posts
Updated on $DATE
date
userscript
mokurin000's blog - userscript
geek blog
Zola2026-06-04T17:30:00+08:00https://mokurin000.github.io/tags/userscript/atom.xml
用 Tauri 注入 UserScript
2026-06-04T17:30:00+08:00
2026-06-04T17:30:00+08:00
mokurin000
https://mokurin000.github.io/blog/tauri-userscript-injection/
<blockquote>
<p>注意:该方式注入的脚本具备接近页面最高权限的执行能力。
如若涉及远程加载,必须实现签名、证书检查等完整性保护机制,否则可导致页面被完全接管。</p>
</blockquote>
<p>在使用 Tauri 构建桌面 WebView 应用时,笔者偶然发现
<a rel="external" href="https://docs.rs/tauri/latest/tauri/struct.Builder.html?utm_source=chatgpt.com#method.append_invoke_initialization_script"><code>Builder::append_invoke_initialization_script</code></a> 这个 API。</p>
<p>它允许在 WebView 初始化阶段注入 JavaScript,在页面业务代码执行之前运行。这使得将 UserScript 直接内置进应用成为可能。</p>
<h2 id="zhu-ru-ji-zhi">注入机制</h2>
<p>Tauri 提供的注入方式如下:</p>
<pre class="giallo z-code"><code data-lang="rust"><span class="giallo-l"><span class="z-entity z-name z-namespace">tauri</span><span class="z-keyword z-operator">::</span><span class="z-entity z-name z-type">Builder</span><span class="z-keyword z-operator">::</span><span class="z-entity z-name z-function">default</span><span class="z-punctuation">()</span></span>
<span class="giallo-l"><span class="z-punctuation z-definition z-comment z-comment"> // Example script</span></span>
<span class="giallo-l"><span class="z-punctuation z-definition z-comment z-comment"> // or: include_str!("script.js")</span></span>
<span class="giallo-l"><span class="z-keyword z-operator"> .</span><span class="z-entity z-name z-function">append_invoke_initialization_script</span><span class="z-punctuation">(</span><span class="z-string z-punctuation z-definition z-string">r#"</span></span>
<span class="giallo-l"><span class="z-string"> // modify window properties directly</span></span>
<span class="giallo-l"><span class="z-string"> window.__APP__ = true;</span></span>
<span class="giallo-l"><span class="z-string"> // Overriding `fetch()`</span></span>
<span class="giallo-l"><span class="z-string"> window.fetch = () => {};</span></span>
<span class="giallo-l"><span class="z-string"> // inject custom stylesheets on the document, e.g.</span></span>
<span class="giallo-l"><span class="z-string"> window.addEventListener(</span></span>
<span class="giallo-l"><span class="z-string"> "DOMContentLoaded",</span></span>
<span class="giallo-l"><span class="z-string"> () => {}</span></span>
<span class="giallo-l"><span class="z-string"> );</span></span>
<span class="giallo-l"><span class="z-punctuation z-definition z-string"> "#</span><span class="z-punctuation">)</span></span>
<span class="giallo-l"><span class="z-keyword z-operator"> .</span><span class="z-entity z-name z-function">run</span><span class="z-punctuation">(</span><span class="z-entity z-name z-namespace">tauri</span><span class="z-keyword z-operator">::</span><span class="z-entity z-name z-function z-macro z-rust">generate_context!</span><span class="z-punctuation">())</span></span>
<span class="giallo-l"><span class="z-keyword z-operator"> .</span><span class="z-entity z-name z-function">expect</span><span class="z-punctuation">(</span><span class="z-punctuation z-definition z-string z-string">"error while running tauri application"</span><span class="z-punctuation">);</span></span></code></pre>
<p>这个阶段发生在 WebView 初始化早期,比
<a rel="external" href="https://developer.mozilla.org/zh-CN/docs/Web/API/Document/DOMContentLoaded_event">DOMContentLoaded</a>
更靠前,因此可以影响页面最初的运行环境。</p>
<h2 id="userscript-jian-rong-xing-de-chu-li-fang-shi">UserScript 兼容性的处理方式</h2>
<p>UserScript 通常运行在 TamperMonkey / GreaseMonkey 环境中,依赖 <code>GM_*</code> API 或 <code>unsafeWindow</code> 等扩展能力。而在普通 WebView 环境中,这些对象不存在。</p>
<pre class="giallo z-code"><code data-lang="javascript"><span class="giallo-l"><span class="z-storage z-type">const</span><span class="z-variable z-other z-constant z-js"> unsafeWindow</span><span class="z-keyword z-operator"> =</span><span class="z-punctuation z-definition z-string z-string"> 'undefined'</span><span class="z-keyword z-operator"> === typeof</span><span class="z-variable z-other z-readwrite"> GM_info</span><span class="z-keyword z-operator"> ?</span><span class="z-variable z-other z-readwrite"> window</span><span class="z-keyword z-operator"> :</span><span class="z-variable z-other z-readwrite"> unsafeWindow</span><span class="z-punctuation">;</span></span></code></pre>
<p>在必要时,我们可以手动提供兼容的对象,供 UserScript 使用。</p>
<h2 id="shi-yong-jia-zhi">使用价值</h2>
<p>这种方式本质上是在把 UserScript 作为应用内置能力使用。</p>
<p>相比传统 UserScript 流程,它减少了外部依赖:</p>
<ul>
<li>不需要用户安装油猴类扩展</li>
<li>不需要依赖 GreasyFork / OpenUserJS / jsDelivr 等脚本托管站</li>
<li>在网络受限环境下更稳定</li>
</ul>
<p>在分发层面,它更接近:</p>
<blockquote>
<p>“带脚本能力的桌面 Web 应用”</p>
</blockquote>
<h2 id="an-quan-bian-jie">安全边界</h2>
<p>该模式的关键风险在于:注入脚本等同于页面最高权限执行环境。</p>
<p>需要注意:</p>
<ul>
<li>只加载可信脚本或本地内置脚本</li>
<li>远程脚本必须具备签名或完整性校验机制</li>
<li>避免将其作为普通前端逻辑入口</li>
<li>必要时进行能力拆分或隔离执行环境</li>
</ul>
<h2 id="zong-jie">总结</h2>
<p><a rel="external" href="https://docs.rs/tauri/latest/tauri/struct.Builder.html?utm_source=chatgpt.com#method.append_invoke_initialization_script">append_invoke_initialization_script</a> 提供了一个非常直接的能力:在 WebView 初始化阶段注入 JavaScript。</p>
<p>借助这一机制,可以将 UserScript 作为应用内部逻辑层进行封装,实现:</p>
<ul>
<li>桌面应用内置脚本能力</li>
<li>与 UserScript 生态兼容的脚本复用</li>
<li>减少对外部脚本托管与浏览器扩展的依赖</li>
</ul>
<p>这是一种将“浏览器扩展式能力”迁移到桌面应用分发体系中的实现路径。</p>
<p>示例项目:<a rel="external" href="https://github.com/mokurin000/fknc-calculator/">fknc-calculator</a></p>
一篇由付费游戏价格计算器引发的思考