Personal tools

How to Spot Unsafe Scripts

From Arcanum Illyria

Jump to: navigation, search
This article is a stub. Improve it by adding information or re-organizing it to match the structure and contents of related mature pages.

When trying out or installing new user scripts, first and foremost take note of the places they will run. Your browser will always show this information in the script install screen, in the form of a list of include/exclude wildcard-urls. Scripts should never be running where they are not needed. For Illyriad, that means they should only run in urls like*.

Pay special attention that the script will not run on either the login page ( or in the forums (*) unless it actually provides features for the forums, which is unlikely. A typical script for Illyriad can accomplish all it needs from within the following rules:

@include        http://**
@exclude        http://*

It is perfectly acceptable for a script to run on a more specific subset of safe pages, like http://* As long as the script is not running on the login page or the forums, you're at least safe from game account theft. So long as it doesn't run anywhere outside the game, your safe from theft of other unrelated accounts and browser attacks from malware-hosting webservers. There's still the potential that someone could be hijacking login sessions or controlling your account through the script, but these are lesser and less likely threats--at least the account stays primarily in your control.

Advanced Review

If you are using Firefox, you can watch for suspicious behavior with any extension (like Firebug) that tracks and reports asynchronous queries. In the case of Firebug, enable and switch to the 'Net' panel and select the 'XHR' filter. Make note of the url for any requests that appear, the details therein should tip you off if anything untoward is happening. For example, if you see requests that aren't going to, check what information is being submitted. It could be that the author is using his script to find out information about your account, such as troop counts and resource stockpiles. If you see urls like, the script is automating "actions" on your account, which not only violates the game rules but is probably also not for your benefit.