Harpocrates

1. So you've decided to read my little essay?
2.  
3. Not as an intentional slight, but I'm going to assume that you're not very knowledgeable about web security and programming if you had enough concern to click the link and read this. I'm going to try to keep this readable for someone who has no programming skill, but please bring it to my attention if something is still unclear after reading this.
4.  
5. To begin with, browsers have several storage methods available. These range from enormous databases to simple bits of text. You may already be familiar with cookies, which are the web's primary method of letting you "log in" to a site. If you enter a username and password into a form, chances are very good that a cookie is what makes your login work when you click the submit button. You may also have already heard mention of local storage, which is relatively new and allows scripts to store a ton more data (about 10 million characters worth, or about 2500x the length of this post.)
6.  
7. Now these are very useful tools for a script developer, but they all contain one very important limitation: all of this data is only available on the domain that it is running on (a domain being "mturk.com" or "greasyfork.org"), which is called the "same origin policy." A cookie set on mturk.com cannot be retrieved on amazon.com because, regardless of the same company owning both domains, sharing employees, etc., the domains are different and that's all the browser cares about.
8.  
9. So this is a problem for Harpocrates in particular because, when you login to Mechanical Turk, you are directed to a shared login portal that handles all of Amazon's stuff on amazon.com. When you are finished logging in, you are directed back to mturk.com. If you've been paying attention up to this point, you'll notice that the same origin policy does not apply and I can't use the browser's storage to share data.
10.  
11. Fortunately, userscripts provide storage that can be used anywhere because the data is attached to the script and not to the domain. However, this introduces a new problem.
12.  
13. Using a great number of the native userscript functions (such as those used for storing information) places the userscript into what is called a "sandbox". Sandboxes are basically a complete and separate copy of the "actual" environment that prevents the script from interacting directly with the window. You may have already come across the term "sandbox" if you run a top-tier antivirus, since these applications often sandbox untrusted programs so that nothing happens to your computer if program does something awful. It simply destroys the sandbox instead.
14.  
15. What sandboxing ends up meaning for Harpocrates in particular is that it cannot reach Mount Olympus or any of its Olympian brethren because it has been stuck into a cage off to the side.
16.  
17. The easiest way around this is use of the unsafeWindow variable, which is a direct reference to the "real" window environment that the rest of the scripts are running in. This sounds like I've opened the Ark of the Covenant just by the name of the variable, but there's two important things to remember about this.
18.  
19. First, it's unsafe for the *script*. Userscripts run at a higher privilege than everything else which means a particularly nasty page can exploit the userscript to do bad things. What this means in short is that you don't even have to worry about it as long as a) you don't visit shady websites and/or b) scripts don't run on shady websites. This is why some of the Turk scripts I've seen that use an asterisk for where to run the script (asterisk = every page on the internet) is mind-bogglingly poor practice.
20.  
21. Second, if it were such a serious security concern then it wouldn't be as simple as using unsafeWindow to opt out of it.
22.  
23. So, the function of Harpocrates should be clear if you've kept with me so far. It has to use script storage to maintain the information it needs, and must also use unsafeWindow to join the other Olympians. Harpocrates even goes a step beyond by only launching when you're signing into Mechanical Turk, which also avoids a huge bug by not saving your login time when you login to Payments or Amazon proper.
24.  
25. You can also see the function of Harpocrates if you check out the Code panel, even if you have no programming experience. You'll see "grant GM_setValue" near the top, which is the GreaseMonkey function for saving data. A quick skim of the below code shows the only spot it was used, to store the time you logged in for later.