Tampermonkey
Tampermonkey is a donationware browser extension developed by Jan Biniok that serves as a userscript manager, enabling users to install, manage, and execute custom JavaScript code—known as userscripts—to modify and enhance the functionality of web pages across various websites.[1][2]
First released in May 2010, Tampermonkey quickly gained traction as a versatile alternative to earlier tools like Greasemonkey, expanding support beyond Firefox to include Chromium-based browsers such as Google Chrome and Opera.[1] Its development has involved ongoing updates to adapt to evolving browser standards, including transitions from Manifest V2 to V3 architectures in Chrome and Edge, ensuring continued compatibility while addressing security and performance improvements.[3] By 2025, it remains actively maintained, with features like beta versions for testing new capabilities.[4]
Key features of Tampermonkey include easy script installation from sources like Greasy Fork or OpenUserJS, script editing via built-in or external editors, categorization and toggling of scripts for selective execution, and synchronization options using services such as Google Drive, Dropbox, or browser-native sync to maintain user configurations across devices.[2] It also supports script blacklisting to mitigate risks from malicious code, local file access for advanced users, and export/import functionalities in formats like ZIP or JSON for backups.[2] These tools empower users to perform tasks like ad blocking, interface customization, or automation on sites including social media platforms and e-commerce pages.
Tampermonkey is compatible with all major desktop and mobile browsers, including Google Chrome, Mozilla Firefox, Microsoft Edge, Apple Safari, and Opera, making it accessible to a broad audience.[5] With over 10 million weekly active users as of 2025, it stands as the most widely adopted userscript manager, fostering a large ecosystem of community-contributed scripts that extend its utility for productivity, privacy, and entertainment enhancements.[6]
Overview
Definition and Purpose
Tampermonkey is a free donationware browser extension that functions as a userscript manager, enabling users to inject and manage custom JavaScript userscripts on websites to customize and enhance their browsing experience.[5][1] Developed by Jan Biniok and first released in May 2010, it supports major browsers including Chrome, Firefox, Microsoft Edge, Safari, and Opera Next, with over 10 million users worldwide.[1][6]
The primary purpose of Tampermonkey is to allow non-technical users to alter webpage behavior, appearance, or functionality without modifying the site's original source code, facilitating tasks such as ad-blocking, user interface enhancements, or automation of repetitive actions.[5][7] For instance, users can run scripts to add features like media download buttons or dark mode toggles to specific sites.[8] This customization occurs through userscripts—small JavaScript programs that execute automatically on matching web pages, providing a flexible way to personalize the web without requiring advanced programming knowledge.[9]
As a cross-browser solution, Tampermonkey emerged in the context of Greasemonkey, the pioneering Firefox userscript manager, by offering broad compatibility for Greasemonkey-style scripts while prioritizing support starting with Chrome, where no equivalent extension existed at the time.[2][1] The basic workflow involves installing the extension from a browser's official store, adding userscripts from community repositories such as Greasy Fork, and having Tampermonkey automatically execute them on designated URLs to apply the desired modifications.[8][10]
Core Functionality
Tampermonkey processes user scripts by first evaluating metadata directives in the script's header to determine applicability to the current webpage. Upon loading a page, the extension automatically scans installed scripts for matching URL patterns specified via the @match or @include directives. The @match directive employs structured patterns compliant with browser extension standards, allowing wildcards and schemes like https://*.example.com/* to trigger execution on specific domains or paths, while @include provides simpler glob-style matching such as http://www.example.com/*. These directives ensure scripts activate only on intended URLs, preventing unnecessary or unintended runs.[9][11]
Once matched, scripts execute within a sandboxed environment to isolate them from the webpage's native JavaScript, mitigating risks of interference or security vulnerabilities. This isolation occurs in contexts like the extension's isolated world or a dedicated userscript world, configurable via the @sandbox directive, which defaults to a raw mode for direct page interaction but can be set to JavaScript or DOM-only modes for stricter separation. The @grant header further refines this by explicitly permitting access to UserScript API functions (such as GM_* methods) or unsafeWindow, ensuring controlled permissions without exposing the full page scope. Essential headers like @name for identification, @version for versioning, and @namespace for uniqueness among scripts complete the metadata, enabling organized management during execution.[9]
For persistence, Tampermonkey integrates with the browser's storage mechanisms through the UserScript API, allowing scripts to store and retrieve data via functions like GM_setValue(key, value) and GM_getValue(key, defaultValue). These operations leverage the browser's local storage or IndexedDB, scoped to the script's namespace to avoid conflicts with other extensions or pages, thus supporting features like user preferences or cached data across sessions.[9]
Script maintenance involves automated update handling, where Tampermonkey periodically checks remote repositories specified in the @updateURL header against the local @version. If a newer version is detected—determined by semantic comparison (e.g., 1.1 precedes 1.10)—the extension prompts or automatically downloads the updated script from the @downloadURL, ensuring scripts remain current without manual intervention. This process requires a valid @version tag and respects user-configured update intervals to balance security with performance.[9]
Features
Tampermonkey provides a centralized dashboard interface accessible through its browser extension options, where users can view a list of all installed scripts along with their metadata, such as names, versions, and enablement status.[2] From this dashboard, users can enable or disable individual scripts with a single toggle, edit script configurations or code by clicking on the script name—which opens the built-in editor for modifications—and delete scripts by selecting the removal option and confirming the action.[2] This interface allows for quick administrative control over the script library, ensuring users can manage active customizations without navigating external tools.[2]
For backups and transfers, Tampermonkey includes import and export functionality located in the Utilities tab of its settings.[2] Users can export their entire collection of scripts, settings, and storage data to either JSON documents or ZIP archives, which encapsulate all relevant files for easy portability across devices or reinstallations.[2] Conversely, the same tab supports importing from these formats, allowing seamless restoration of scripts and configurations from previously saved files.[2]
Organization within the dashboard is facilitated through a tagging system, enabling users to categorize scripts for better management of large collections.[2] Tags can be assigned directly in the script's settings page or via the @tag directive in the script header, such as // @tag [productivity](/page/Productivity), using user-defined tags such as 'productivity', 'utilities', or 'enhancements'.[9] Once applied, tags appear in the dashboard script list, allowing users to filter, search, or bulk-toggle scripts by category, which streamlines workflows for users handling dozens of scripts.[2]
To maintain consistency across multiple devices, Tampermonkey supports script synchronization through various cloud services integrated into its Settings tab under the Script Sync section.[2] Users can enable syncing with Google Drive, Dropbox, OneDrive, or WebDAV protocols, which automatically propagate script installations, updates, and settings changes in real-time or on-demand via a dedicated sync button.[7] This feature ensures that configurations remain uniform without manual exports, though it requires granting the extension appropriate storage permissions.[2]
Security in script sourcing is managed via blacklisting and whitelisting options to prevent unauthorized or risky installations.[2] The Manual Userscript and @require Blacklist, configurable in advanced settings, allows users to block specific URLs or domains from installing scripts or loading external resources, cross-referencing against community-maintained lists like those on GitHub for known threats.[2] Complementing this, whitelisting can be applied through file extension filters in the Downloads section or domain-specific approvals via the @connect directive in scripts, ensuring only trusted sources contribute to the user's environment.[9]
Built-in Editor and Debugging
Tampermonkey provides an integrated code editor accessible from its dashboard, allowing users to create and modify userscripts directly within the browser extension. This editor features syntax highlighting for JavaScript and metadata blocks, enhancing readability and reducing errors during development.[12] Additionally, it includes auto-completion support, triggered by Ctrl+Space, which suggests common UserScript APIs and functions to streamline coding workflows.[12]
The editor incorporates ESLint for real-time syntax checking and linting, displaying hints and warnings as users type to identify potential issues early.[5] This integration helps maintain code quality without requiring external tools. For debugging, Tampermonkey leverages the browser's developer console, where users can enable debug mode in the extension settings to pause execution at debugger; statements inserted in scripts.[13] Console logging is facilitated through the GM_log() API, which outputs messages directly to the browser's console for monitoring script behavior and troubleshooting.[13] Error reporting also routes through the console, integrating seamlessly with browser developer tools for stack traces and variable inspection.
Script versions are managed using the @version metadata tag, which must be incremented for updates to ensure proper tracking and reloading.[14] While basic version control is handled internally, Tampermonkey supports external editor integration, such as linking to Visual Studio Code via the dedicated Tampermonkey Editors extension, allowing developers to edit scripts in a full-featured IDE while syncing changes back to the extension.[5] This setup bridges browser-based editing with advanced development environments, though scripts from local files require specific permissions and do not execute automatically.[2]
History
Origins and Early Development
Tampermonkey was created in 2010 by German developer Jan Biniok as a userscript manager extension designed to bring Greasemonkey-like functionality to Google Chrome, which at the time lacked native support for userscripts in Chromium-based browsers.[1] The extension originated as a wrapper around existing Greasemonkey scripts to enable their execution in Chrome, addressing the growing demand for customizable browsing experiences amid Chrome's rapid adoption.[15] Early development focused on core capabilities such as script injection into web pages and basic management tools, allowing users to install, enable, and disable userscripts without advanced configuration.[16]
The initial release occurred in May 2010, marking the extension's availability for Chrome users outside of Firefox's ecosystem. Tampermonkey appeared on the Chrome Web Store around 2010-2011, facilitating easier distribution and installation, which aligned with the store's expansion and Chrome's increasing market share from around 7% in 2010 to over 30% by 2012. This timing capitalized on limitations in Greasemonkey, which was primarily optimized for Firefox and struggled with cross-browser compatibility, driving initial adoption among developers and power users seeking portable script solutions.[17]
Tampermonkey was initially developed as open source software under the GNU General Public License (GPL) version 3. In January 2013, after version 2.9, Biniok changed it to proprietary/closed source, though the GitHub repository continued to host the source code up to that version to encourage community contributions and transparency.[16] This period solidified its position as a key tool in the userscript ecosystem, particularly as Chrome's dominance grew and users migrated from Firefox, where Greasemonkey's performance issues became more apparent with evolving web standards.[1]
Key Updates and Manifest V3 Transition
Tampermonkey's development has included several milestone releases that expanded its capabilities. In 2015, version 3.0 was released, adding support for mobile browsers on Android, allowing users to manage and run userscripts on mobile devices.[5] Around 2016, version 4.0 enhanced script syncing features, enabling users to synchronize their userscripts across multiple browsers and devices via cloud storage options like Google Drive or Dropbox.[2]
Beginning in 2021, Tampermonkey faced challenges from Google's transition to Manifest V3 for Chrome extensions, which replaced persistent background pages with service workers, necessitating a major rewrite of the extension's core architecture to maintain functionality. This shift impacted userscript managers like Tampermonkey, as service workers introduced limitations on execution time and state persistence. To address compatibility during Google's phased rollout, developers released temporary workarounds and beta versions in 2022, which tested MV3 features while preserving backward compatibility for existing users.[2]
Full compliance with Manifest V3 was achieved in version 5.0 in November 2023, ensuring continued support for userscript injection and management without disrupting core functionality.[18] This update required users to enable developer mode in Chrome for script execution and introduced options to modify content security policy headers for legacy script compatibility.[2] Performance impacts included faster extension loading times due to service worker efficiency, though restrictions on persistent storage led to adjustments in how scripts handle long-running tasks and data retention.[19]
Development continued actively into 2025, with version 5.4.0 released in September 2025, adding features like Blob/File download support and improvements to GM_xmlhttpRequest, while fixing issues related to storage and synchronization.[3]
Technical Aspects
UserScript Standards and API
Tampermonkey adheres to the established UserScript metadata block format originally defined by Greasemonkey, which encapsulates essential script information within a comment block at the beginning of each userscript file. This block follows the structure // ==UserScript== followed by key-value pairs using // @key value directives, and concludes with // ==/UserScript==. Common directives include @name for the script's title, @namespace for unique identification, @version for update tracking, @description for a brief overview, @include or @match for specifying execution URLs via pattern matching, @require for loading external libraries, and @run-at for controlling injection timing such as document-start or document-end.[9][20]
The core API provided by Tampermonkey includes functions for persistent storage, style injection, and debugging, prefixed with GM_. For storage, GM_setValue(key, value) and GM_getValue(key, defaultValue) allow scripts to save and retrieve data across sessions, supporting primitives like strings, numbers, booleans, and objects serialized as JSON. Style injection is handled by GM_addStyle(css), which appends custom CSS rules to the page without altering the original stylesheet. Debugging is facilitated by GM_log(message), which outputs messages to the browser console for troubleshooting.[9]
Extended APIs enable advanced interactions, such as GM_xmlhttpRequest(details), which performs cross-origin HTTP requests and bypasses browser CORS restrictions by leveraging extension privileges; it accepts an options object with properties like method, url, data, and callbacks for events including onload, onerror, and onprogress. This function supports HTTP and HTTPS protocols, and allows anonymous requests or credential inclusion.[9]
The permission model relies on @grant directives within the metadata block to explicitly whitelist API access, ensuring scripts only receive necessary privileges and enhancing security by defaulting to a sandboxed environment. For instance, @grant GM_setValue enables storage functions, while @grant none disables the sandbox entirely, running the script in the page context for direct DOM access. Access to the page's DOM for manipulation is provided via the unsafeWindow object, which requires @grant unsafeWindow to bridge the sandbox isolation and expose the host window's properties and methods. Multiple @grant lines can be used to request specific functions, and Tampermonkey infers grants if none are specified, though explicit declaration is recommended for compatibility.[9]
Tampermonkey supports API versioning through compatibility modes aligned with Greasemonkey's evolution, accommodating both the legacy GM 1.0 behavior—where API access was implicitly granted based on usage—and the stricter GM 2.0 mode introduced in Greasemonkey 2.0, which mandates explicit @grant directives for all privileged functions to prevent unintended access. This dual support is configurable via Tampermonkey's settings, such as compat_foreach for iteration methods or compatopts_for_requires for external script handling, allowing older scripts to function without modification while encouraging modern explicit permissions.[9][21]
Browser Compatibility and Extensions
Tampermonkey primarily supports major desktop browsers through their respective extension stores, including Google Chrome and Microsoft Edge via the Chrome Web Store, Mozilla Firefox via the Firefox Add-ons site, and Apple Safari via the Safari Extensions Gallery, with Safari compatibility introduced in 2020.[5][7][22][23][24]
For browsers like Opera, Tampermonkey offers standalone versions available directly from the Opera Add-ons store, enabling users to install and manage userscripts without relying on cross-browser ports. Similarly, portable builds support deployment in environments where standard extension stores are unavailable.[25][26]
Tampermonkey extensions utilize browser-specific manifest formats, such as CRX files for Chrome and Edge installations via drag-and-drop into the extensions page, and XPI files for Firefox, which can be installed by dragging into the add-ons manager. Cross-compatibility is achieved through Tampermonkey's portable builds, which adapt these formats to function across supported Chromium- and Gecko-based browsers without native store dependency.[2]
On mobile platforms, Tampermonkey provides compatibility for Android through browsers like Kiwi Browser or Yandex Browser that support Chrome extensions, allowing full userscript management similar to desktop versions. On iOS, Tampermonkey provides full support through a dedicated Safari extension available via the App Store (released November 2024), compatible with iOS 15.0 and later.[27][2][23]
Recent updates have enhanced compatibility with privacy-focused browsers like Brave, a Chromium derivative, where users must enable "Allow UserScripts" in extension settings to ensure seamless operation alongside Brave's built-in ad-blocker for synergistic content modification. These adaptations align with broader Manifest V3 transitions to maintain cross-browser stability.[28]
Usage
Installation and Setup
Tampermonkey is installed as a browser extension through the respective official extension stores for supported browsers, including Google Chrome, Mozilla Firefox, Microsoft Edge, Safari, and Opera.[5] To begin, users search for "Tampermonkey" in the browser's extension store or navigate directly via links provided on the official website. For Chrome, users click "Add to Chrome" on the Chrome Web Store page, review the permissions, and confirm the installation by selecting "Add extension."[7] Similar processes apply to Firefox via the Add-ons store, where users click "Add to Firefox" and confirm; for Edge, "Get" from the Microsoft Edge Add-ons store; for Opera, "Add to Opera" from the Opera addons page; and for Safari, download and install from the Mac App Store for macOS or the iOS App Store for iOS via official links.[6][29] During installation, the browser prompts users to grant necessary permissions, which are essential for the extension to inject userscripts into web pages.
Upon successful installation, Tampermonkey's icon appears in the browser toolbar, and users access the dashboard by clicking it to begin configuration. Post-install setup includes selecting a default editor, such as the built-in CodeMirror-based editor or configuring an external editor via file access permissions.[30] Users can enable notifications for script updates and new versions through the settings panel, which requires the "notifications" permission to alert about changes like automatic updates.[31] Sync options allow backing up scripts and settings across devices using services like Google Drive, Dropbox, WebDAV, or browser-native sync, configured in the dashboard under the "Sync" tab to ensure seamless transfer without manual exports.[32]
The extension requests several permissions during setup to function properly, each serving a specific purpose in managing userscripts. These include "tabs" for accessing tab information to determine script execution; "storage" and "unlimitedStorage" for saving script data and configurations; "webRequest" and "webNavigation" to monitor and modify web requests for script injection; "cookies" for handling site-specific data; "downloads" for managing script-related files; "contextMenus" to add right-click options; "clipboardWrite" for script interactions with the clipboard; "idle" for detecting user inactivity; and "<all_urls>" to operate on any website.[31] For local file access, users must manually enable "Allow access to file URLs" in the browser's extension management page.[33] These permissions are transparently listed during installation, allowing users to review and approve before proceeding.
Common setup issues can arise, such as permission denials, which users resolve by navigating to the browser's extensions page (e.g., chrome://extensions/) and ensuring Tampermonkey has the required toggles enabled, including "Allow in Incognito" if needed.[34] Conflicts with other extensions, like user agent spoofers or ad blockers, may prevent script injection; troubleshooting involves temporarily disabling suspects via the extensions manager and re-enabling one by one to identify the culprit.[35] If installation fails or scripts do not load post-setup, reinstalling the extension after exporting existing scripts via the dashboard often clears corrupted files, or creating a new browser profile can isolate profile-specific errors.[36]
Script Creation and Deployment
Users create Tampermonkey scripts by accessing the extension's dashboard and selecting the option to add a new script, which opens an integrated editor for writing code.[2] Every script begins with a metadata block enclosed in special comments, defining essential properties such as the script's name, version, target websites via @match or @include directives, and any required permissions through @grant.[9] Following the metadata, users write standard JavaScript code to manipulate the Document Object Model (DOM), often wrapped in an immediately invoked function expression (IIFE) for encapsulation and to enforce strict mode. For instance, to add a button to a webpage, a script might use the GM_addElement API to insert an interactive element dynamically.[9]
javascript
// ==UserScript==
// @name Add Button Example
// @namespace [example.com](/page/Example.com)
// @version [1.0](/page/Version)
// @description Adds a simple button to the page
// @author You
// @match https://example.com/*
// @grant GM_addElement
// ==/UserScript==
(function() {
'use strict';
GM_addElement('button', {
id: 'myButton',
textContent: 'Click Me',
onclick: function() { alert('Button clicked!'); }
});
})();
// ==UserScript==
// @name Add Button Example
// @namespace [example.com](/page/Example.com)
// @version [1.0](/page/Version)
// @description Adds a simple button to the page
// @author You
// @match https://example.com/*
// @grant GM_addElement
// ==/UserScript==
(function() {
'use strict';
GM_addElement('button', {
id: 'myButton',
textContent: 'Click Me',
onclick: function() { alert('Button clicked!'); }
});
})();
This example targets https://example.com/* and appends a button to the document body that triggers an alert on click.[9]
To test a script, users save it in the editor, which automatically enables it, then reload the target webpage to observe changes.[2] Debugging involves enabling debug logging in Tampermonkey settings and inspecting the browser console (via Ctrl+Shift+J) for errors or using console.log statements within the script code.[2] If issues arise, such as syntax errors or mismatched @match patterns, the console output helps identify and resolve them before further iteration.
For deployment, scripts can be saved locally within Tampermonkey for personal use, or exported as files for sharing.[2] To distribute publicly, users upload scripts to repositories like Greasy Fork or OpenUserJS, where others can install them directly via Tampermonkey.[9] Including an @updateURL in the metadata points to the hosted script file, enabling automatic updates for installers when new versions are published.[9]
Best practices emphasize security and efficiency: minimize @grant directives to only necessary APIs, such as none for basic DOM manipulation, to reduce permissions and potential risks.[9] Precise @match patterns should target specific sites rather than broad wildcards like http://* to avoid performance overhead.[2] Additionally, scripts should include @namespace and @version for proper identification and versioning.[9]
Representative examples illustrate practical applications. An infinite scrolling script detects when a user reaches the page bottom and fetches additional content, appending it seamlessly without pagination links.[37]
javascript
// ==UserScript==
// @name Infinite Scroll
// @namespace http://tampermonkey.net/
// @version 1.0
// @description Enable infinite scrolling on paginated sites
// @author sharmanhall
// @match *://*/*
// @grant none
// ==/UserScript==
(function() {
'use strict';
const observer = new IntersectionObserver((entries) => {
entries.forEach(entry => {
if (entry.isIntersecting) {
const nextLink = [document](/page/Document).querySelector('a[rel="next"], .pagination-next');
if (nextLink) {
fetch(nextLink.href)
.then(res => res.text())
.then([html](/page/HTML) => {
const parser = new DOMParser();
const doc = parser.parseFromString([html](/page/HTML), 'text/[html](/page/HTML)');
const newContent = doc.querySelector('main, .content, .articles');
if (newContent) {
[document](/page/Document).body.appendChild(newContent);
}
});
}
}
});
});
const footer = [document](/page/Document).querySelector('footer');
if (footer) observer.observe(footer);
})();
// ==UserScript==
// @name Infinite Scroll
// @namespace http://tampermonkey.net/
// @version 1.0
// @description Enable infinite scrolling on paginated sites
// @author sharmanhall
// @match *://*/*
// @grant none
// ==/UserScript==
(function() {
'use strict';
const observer = new IntersectionObserver((entries) => {
entries.forEach(entry => {
if (entry.isIntersecting) {
const nextLink = [document](/page/Document).querySelector('a[rel="next"], .pagination-next');
if (nextLink) {
fetch(nextLink.href)
.then(res => res.text())
.then([html](/page/HTML) => {
const parser = new DOMParser();
const doc = parser.parseFromString([html](/page/HTML), 'text/[html](/page/HTML)');
const newContent = doc.querySelector('main, .content, .articles');
if (newContent) {
[document](/page/Document).body.appendChild(newContent);
}
});
}
}
});
});
const footer = [document](/page/Document).querySelector('footer');
if (footer) observer.observe(footer);
})();
Similarly, a dark mode toggle script applies CSS filters to invert colors on demand, often via a keyboard shortcut, and persists the state using localStorage.[38]
javascript
// ==UserScript==
// @name Dark Mode Toggle (Shortcut Only)
// @namespace http://tampermonkey.net/
// @version 1.1
// @description Adds a dark mode toggle to any site via Alt+N
// @author Drewby123
// @match *://*/*
// @grant none
// ==/UserScript==
(function () {
'use strict';
const darkModeStyle = [document](/page/Document).createElement('style');
darkModeStyle.[id](/page/id) = 'dark-mode-style';
darkModeStyle.textContent = `[html](/page/html) {filter: [invert(1)](/page/1) hue-rotate(180deg); background: #111 !important;} img, video {filter: [invert(1)](/page/1) hue-rotate(180deg) !important;}`;
let darkModeEnabled = localStorage.getItem('darkModeEnabled') === 'true';
if (darkModeEnabled) [document](/page/Document).head.appendChild(darkModeStyle);
const toggleDarkMode = () => {
darkModeEnabled = !darkModeEnabled;
darkModeEnabled ? [document](/page/Document).head.appendChild(darkModeStyle) : [document](/page/Document).getElementById('dark-mode-style')?.remove();
localStorage.setItem('darkModeEnabled', darkModeEnabled);
};
[document](/page/Document).addEventListener('keydown', (event) => {
if (event.altKey && event.key === 'n') toggleDarkMode();
});
})();
// ==UserScript==
// @name Dark Mode Toggle (Shortcut Only)
// @namespace http://tampermonkey.net/
// @version 1.1
// @description Adds a dark mode toggle to any site via Alt+N
// @author Drewby123
// @match *://*/*
// @grant none
// ==/UserScript==
(function () {
'use strict';
const darkModeStyle = [document](/page/Document).createElement('style');
darkModeStyle.[id](/page/id) = 'dark-mode-style';
darkModeStyle.textContent = `[html](/page/html) {filter: [invert(1)](/page/1) hue-rotate(180deg); background: #111 !important;} img, video {filter: [invert(1)](/page/1) hue-rotate(180deg) !important;}`;
let darkModeEnabled = localStorage.getItem('darkModeEnabled') === 'true';
if (darkModeEnabled) [document](/page/Document).head.appendChild(darkModeStyle);
const toggleDarkMode = () => {
darkModeEnabled = !darkModeEnabled;
darkModeEnabled ? [document](/page/Document).head.appendChild(darkModeStyle) : [document](/page/Document).getElementById('dark-mode-style')?.remove();
localStorage.setItem('darkModeEnabled', darkModeEnabled);
};
[document](/page/Document).addEventListener('keydown', (event) => {
if (event.altKey && event.key === 'n') toggleDarkMode();
});
})();
Community and Ecosystem
User Base and Popular Scripts
Tampermonkey boasts a substantial user base, with over 10 million installations on the Chrome Web Store as of November 2025.[7] The extension maintains strong adoption on other browsers, including Firefox, where it has garnered thousands of ratings, and Microsoft Edge, where it similarly enjoys widespread use among users seeking web customization.[6][39]
Its growth has been propelled by seamless integration with prominent script repositories such as Greasy Fork, a key hub for userscripts that are fully compatible with Tampermonkey and contribute to its ecosystem by providing easy access to community-developed enhancements.[10] This connectivity allows users to discover and install scripts directly, fostering broader adoption among those looking to tailor their browsing experience.
Among the most influential userscripts are those enhancing media playback and site-specific functionality. For instance, the "Audio and Video Enhancement Script" by ankvps has exceeded 1.2 million total installations, enabling features like adjustable playback speeds and video downloads across platforms including YouTube and Bilibili. Similarly, YouTube-focused tools like SponsorBlock implementations skip sponsored segments, significantly improving viewing efficiency for millions of users through its extension counterpart, while userscript variants amplify this via Tampermonkey. Reddit UI modifications, such as "Unedit and Undelete for Reddit" by DenverCoder1 with over 10,000 installations, restore visibility to edited or deleted content, aiding community discussions.[40] Amazon price trackers, exemplified by "Amazon Historical Prices" powered by Keepa, provide historical pricing charts to inform purchases, though with more modest adoption at hundreds of installs, they underscore practical e-commerce utility.
The Tampermonkey community primarily comprises developers, power users, and enthusiasts who contribute and utilize scripts for productivity and privacy enhancements, often engaging through repositories like Greasy Fork. Users commonly install multiple scripts—ranging from a handful for basic customization to dozens for advanced workflows—with prevalent trends favoring tools that boost efficiency, such as ad blockers and content filters, over exhaustive listings.[41]
Alternatives and Comparisons
Tampermonkey's primary alternatives include Greasemonkey, which is tailored for Firefox users and provides extensive customization options through its open-source architecture, though it offers limited cross-platform capabilities compared to Tampermonkey.[42] Greasemonkey excels in seamless integration with Firefox's ecosystem, allowing for advanced script management and support for legacy userscripts that may not function as smoothly in other managers. Another key alternative is Violentmonkey, an open-source userscript manager that emphasizes lightweight performance and speed, while maintaining high API compatibility with both Tampermonkey and Greasemonkey standards.[43] Violentmonkey is particularly suited for users seeking a modern, resource-efficient option without the overhead of Tampermonkey's feature-rich interface.[44]
For Safari users, Userscripts serves as a dedicated alternative, enabling the execution of JavaScript and CSS modifications within Apple's ecosystem through its open-source Safari extension. In contrast, tools like Stylus focus narrowly on CSS styling rather than full userscript functionality, making it a niche option for visual customizations without JavaScript execution.
| Aspect | Tampermonkey | Greasemonkey | Violentmonkey | Userscripts (Safari) | Stylus |
|---|
| Primary Browser Support | Chrome, Edge, Firefox, Safari, Opera | Firefox | Chrome, Firefox, Edge | Safari | All major browsers |
| Open Source | No | Yes (MIT) | Yes (MIT) | Yes | Yes |
| UI Polish & Features | High (advanced editor, sync options) | Moderate (customizable but basic) | Moderate (lightweight dashboard) | Basic (simple script runner) | High (style-focused editor) |
| Mobile Support | Yes (Safari iOS) | No | Limited | Yes (iOS Safari) | Yes (via browser extensions) |
| Script Functionality | Full JS + CSS | Full JS + CSS | Full JS + CSS | JS + CSS | CSS only |
Controversies
Security and Privacy Issues
Tampermonkey's reliance on third-party userscripts introduces significant security risks, as these scripts can contain malicious code designed to inject malware or exfiltrate sensitive data. A 2014 analysis of over 86,000 scripts from major repositories found 126 malicious ones, with 70 capable of stealing user credentials and 25 embedding third-party JavaScript that could facilitate further attacks.[46] Specifically, the Greasemonkey API supported by Tampermonkey, such as GM_xmlhttpRequest, allows scripts to bypass the browser's same-origin policy, enabling cross-domain requests that could lead to data exfiltration, including personal information from web pages.[46][9]
The extension's broad permissions exacerbate these vulnerabilities, granting access to all tabs and URLs to facilitate script injection, which raises concerns for unauthorized tracking, session hijacking, or interception of user inputs across sites.[2] Tampermonkey requires permissions including <all_urls> for content injection, webRequest for modifying network traffic, storage for persisting data, and tabs for accessing tab information, potentially allowing scripts to monitor or alter browsing activity without explicit per-site consent.[2]
Historical incidents highlight these dangers; for instance, in early 2025, two userscripts on Greasy Fork, a popular repository compatible with Tampermonkey, were compromised via an inactive author's account, inserting malicious code that affected users relying on the platform.[47] Broader studies have identified vulnerabilities in similar script ecosystems, such as DOM-based XSS in 2% of analyzed scripts (1,736 cases), which, when combined with generic @include directives affecting 60% of scripts, could enable global data theft across domains.[46]
To mitigate these risks, Tampermonkey incorporates features like script source verification through a community-maintained blacklist of known malicious scripts, user prompts during installation to review and approve scripts, and explicit @grant directives that require developer declaration for powerful APIs like GM_xmlhttpRequest.[2][9] Sandboxing options via the @sandbox metadata key limit script execution contexts—such as isolating to a "JavaScript" or "DOM" environment—to prevent direct access to the page's global scope, reducing the potential for privilege escalation.[9] Additionally, Subresource Integrity (SRI) checks with hash verification for @require and @resource dependencies help ensure external libraries remain untampered.[9]
Privacy implications arise from scripts' ability to access local storage, cookies via GM_cookie, or network data without granular user consent, potentially leading to unintended data sharing if permissions are overly broad.[9] Users must manually review @connect domains and @grant usage to avoid exposing personal data, as the extension's design prioritizes flexibility over default restrictions.[9][2]
Policy Conflicts with Browsers
Tampermonkey has faced significant policy conflicts with browser vendors, particularly Google Chrome, stemming from changes in extension architectures and enforcement of rules aimed at enhancing security and limiting potentially disruptive behaviors. In 2019, developer Jan Biniok highlighted in a Chromium Extensions discussion group that the proposed Manifest V3 (MV3) framework would effectively break Tampermonkey by prohibiting remotely hosted code, a core feature allowing users to load external userscripts. This led to ongoing scrutiny, as MV3's rollout began in 2021 and phased out Manifest V2 support by June 2025, requiring Tampermonkey to adapt through a compatibility mode that demands users enable developer mode in Chrome for full functionality.[48]
Google's policies under MV3 have particularly targeted extensions enabling aggressive ad filtering, impacting Tampermonkey since it facilitates userscripts for ad blocking. Since 2023, MV3's declarativeNetRequest API limits the number and dynamism of filtering rules, reducing the effectiveness of ad-blocker scripts run via Tampermonkey and prompting developer updates to maintain partial compatibility. By 2024, Chrome's enforcement of MV3 in stable releases forced many ad-related userscripts to operate in restricted modes or require sideloading outside the Chrome Web Store. These changes, part of a broader crackdown on ad blockers to protect publisher revenue, have positioned Tampermonkey under continued review for facilitating circumvention of site policies.[49]
In January 2019, Opera banned Tampermonkey from installation via the Chrome Web Store, citing its use in distributing malware through compromised userscripts. The ban was temporary, and following community backlash and developer assurances of enhanced security measures, Opera reinstated the extension later that year.
On Firefox, Mozilla's add-on policies, updated to emphasize transparency post-2020, require userscript managers like Tampermonkey to disclose permissions clearly and mandate explicit user consent for script installation and execution. These guidelines, part of broader efforts to protect user privacy, stipulate that the UserScripts API—used by Tampermonkey—must only activate via user-initiated actions, such as button clicks, and include opt-in mechanisms for data handling. Non-compliance risks review delays or removal from the Firefox Add-ons store, though Tampermonkey has maintained approval by aligning with these transparency mandates.[50]
In response, Jan Biniok has advocated for the legitimacy of userscript managers through public forums and direct engagement with browser teams, arguing that MV3's restrictions undermine user customization without adequate alternatives. While no formal petitions from Biniok are documented, his interventions contributed to discussions influencing MV3's evolution, including allowances for limited dynamic injection in approved cases. These conflicts have broader implications, encouraging users to resort to sideloaded extensions or alternative browsers like Firefox to evade restrictive policies.[51]