motivated by a number of factors (including your grievances), we have rewritten the current OSRS script rules. The rewrite isn't necessarily meant to change any of the current rules (though there are a few changes), but rather to:
- Consolidate miscellaneous rulings and guidelines made by [violet]/Eluvatar/Ballotonia over the few past years
- Provide a better framework for future rule changes as we shift more things towards the API
- Clear up cases where the rules seemed ambiguous
- Add examples where appropriate
For the most part, the rules in this draft should be equivalent to the existing rules + extraneous rulings, just that they are explained differently (and in more detail). There are a few differences, however:
- Answering an issue is now a prohibited action rather than restricted action, since that can be done via the API. But don't panic: your keybind scripts for this purpose are still perfectly okay (so long as they don't programmatically decide which issue option to answer).
- The act of loading the reports page is now a restricted action (use the happenings API instead). But don't panic, this doesn't affect things like Breeze++ where loading the reports page is user-initiated.
- "page=blank" is now documented.
- All tool-crafted requests (i.e. requests that are not based on an existing button on a NS page) must now identify themselves to the server. Before, this only applied to restricted actions. Most tools already do this.
- Tool-crafted user-initiated requests must send a "userclick" parameter (this has been a best practice for many years now).
The new rules are not in effect yet, because we want to hear from you first. Comments, (constructive) criticism, questions, and suggestions are all welcome and encouraged, in particular with regards to how clear and easy to understand these relatively complex rules are, and we'll be actively engaged in this thread. However, when you do post a suggestion or a criticism, note that the "why" is more important and helpful than the "what"; for example, saying "a blue sky sucks" helps nobody, but instead saying "dusk and dawn are generally considered romantic so the sky should have a red tint" is helpful.
I look forward to your responses!
Script Rules for HTML siteThe rules described here apply to any kind of tool (standalone script, browser extension, custom stylesheet, etc.) that interacts with NationStates in any way that is not using the NationStates API. If it's only using the NationStates API, you're in the clear and these rules don't apply! We encourage everyone to use the API wherever possible.
Deprecation Notice
Note!! Tools that interact with the server should use the NationStates API, rather than sending commands to the HTML site.
Authors of tools that interact with the HTML site must take extreme care to follow the below rules, which are complex and subject to change. Access to the HTML site by such tools is being increasingly restricted and may be blocked altogether in the future. Before you write a script that sends requests to the HTML site, consider whether it can use the API instead, which is a safer, faster, simpler, and more reliable environment for bots.
Identifying your Tool
Identifying your tool in requests it makes to the site helps diagnose and identify issues, and also allows us to contact you if something goes wrong and give you a chance to fix it. Your tool must identify itself for any requests it creates and sends.
The identification must include the name of your tool and a way to contact you the author (main nation name, email address, and/or the URL of your website are all acceptable). If at all possible, the identification must also include the name of the user using the tool and the current version of your tool. In addition, for user-initiated requests, a UNIX timestamp (in seconds or milliseconds) of the time when the user initiated (by clicking a button or pressing a key) must be included as a URL parameter with the name "userclick".
If at all possible, your tool must identify itself by setting the User-Agent header with the relevant data. An example of how this looks HTTP-conformant way is:
- Code: Select all
User-Agent: ExampleScript/1.2 (by:Testlandia; usedBy:Maxtopia)
If your environment doesn't allow you to set the User-Agent header (for example, in Chromium-based browsers), you must instead pass a URL parameter called "script" with that information. In combination with a userclick parameter, an example request URL looks something like this:
- Code: Select all
https://www.nationstates.net/page=un?script=ExampleScript_1_2__by_Testlandia__usedBy_Maxtopia&userclick=1658713900823
Sending Requests
This section applies to any non-API requests your tool crafts itself and sends to NationStates, and not to keybinds etc.. When your tool sends such a request, we distinguish between manual and automatic requests, as well as between prohibited actions, restricted actions, and non-restricted actions. Each of these are governed by their own rules.
Note that your requests must identify themselves to the server; see the section "Identifying your Tool" for details.
A request is manual if and only if it is initiated by immediately responding to a user's input (mouse click or key press), at the ratio of one click to one request. You must not queue or delay performing the action (for example, to wait for a previous request to complete) in any way; you must perform the action immediately when detecting the input (such as in the appropriate callback), or not perform it at all. Anything else (including a second request sent by a user input) is considered an automatic request. Manual requests must be marked with a userclick parameter; see the section "Identifying your Tool'' for details.
Prohibited actions are:These actions must not be performed by a script, no matter if human-initiated or not, in any case. Note that all of these actions can be performed using the API instead.
- Answering or dismissing an issue
- Sending a telegram
Restricted actions are:Restricted actions must only be initiated manually. For example, a tool that sends ban requests to the server at five-second intervals, regardless of user input, is executing restricted actions automatically, and is illegal. However, a tool that makes ban buttons appear on pages where they aren't normally present is legal (if all the other rules here are followed), as this requires a user's click to change anything in the gameworld.
- Creating a nation
- Posting a message
- Suppressing / unsuppressing a message
- Moving regions
- Endorsing / unendorsing a nation
- Banning / ejecting a nation from a region
- Anything that generates a Happenings event line in a region, the World Assembly, or a nation other than your own
- Anything that sends a request to the forums (https://forum.nationstates.net) as a logged-in user, or a forum login request
- Anything that affects a Trading Card, including placing a bid or ask, junking a card, and opening a pack
- Anything that sends a command for a NationStates special event mini-game (e.g. April Fools, N-Day, Z-Day), including NS Challenge
- Loading the Reports page
Actions that aren't listed above and only affect your nation, such as changing its custom fields are non-restricted actions. Other actions that only scrape information are also non-restricted actions. Non-restricted actions can be performed manually or automatically.
Automatic requests are subject to a rate limit of 10 requests per minute (or one request every 6 seconds). Manual requests have no rate limit (but usually must follow simultaneity).
Automatic Manual Non-restricted action Ok (with rate limit) Ok Restricted action Illegal Ok Prohibited action Illegal Illegal
A tool must not execute restricted actions simultaneously, but must instead wait for the completion of each command (that is, a complete response from the NationStates server) before issuing the next one — this is widely known as the "simultaneity rule". A tool must not spawn background processes to enable multiple simultaneous server connections that each perform a restricted action. A tool is theoretically allowed to send simultaneous non-restricted actions, but we recommend applying simultaneity universally as this makes things easier for everyone involved.
If you're working in a synchronous/imperative programming environment, simultaneity is relatively straightforward: do not have multiple threads of execution simultaneously making HTTP requests that perform restricted actions, even in response to multiple user inputs. For example, in a GUI program like an android app, it's easier to follow this rule than not to. However, as soon as you're working with asynchronicity in any fashion (multiple threads, or using a language's asynchronous features like async/await in Javascript or C#, or generally working with an asynchronous HTTP interface such as XMLHttpRequest or fetch() in the browser), this can be tricky, and you must take great care to not violate this rule. If you're unsure, you could use Wireshark or a similar network analysis tool to make sure your tool is above board.
If your tool runs in the browser, the section "Modifying Pages" has additional guidance on how to best handle simultaneity.
Modifying Pages
You're free to write and use tools that modify what NationStates pages look like, with few exceptions.
For the most part, prohibited page items are entirely off-limits to tools. These are:Note that this list may be expanded in the future. We will give ample notice if this happens.
- The telegrams user interface, e.g. page=telegram, page=compose_telegram, anything within <div id="tgcompose"></div> on a nation page, or any other place from which a telegram can be sent.
- The "Getting Help" interface
- The NationStates Shop
Your tool may freely customize everything that affects the look (but not the layout) of any NationStates page (including prohibited page items). This includes fonts, colors, margins, paddings, borders, and more. Note, however, that we don't make any assurances (beyond those explicitly listed in these rules) about the format and markup of any part of the site, and they can change at any time without any notice.
Your tool may adjust the layout of existing NationStates page items, or augment existing page items with new elements, or auto-fill existing form elements, with some restrictions:
- Any prohibited page item may not be modified in any fashion.
- If NationStates itself creates multiple buttons that allow the user to perform restricted actions, you must not relayout these buttons in a way that allows faster clicking unless you also follow the simultaneity rule. See below for details.
Your tool may offer alternate input methods (such as keybinds) to any existing page items (including prohibited ones). To qualify as an alternate input method for prohibited page items, or to buttons that perform a prohibited action, each distinct input sequence must map to one unique click location per page. For example, it’s okay to map the keys 1-4 or voice commands “one” to “four” to issue answers 1-4, but it’s not okay to make one button that programmatically decides which issue to answer and clicks the button, or to autofill a text box.
Your tool may add links, buttons, or alternate input methods (e.g. keybinds) pointing to other NationStates pages. Such a button may not perform a prohibited action in any case. If such a button performs a restricted action, clicking it must abide by the simultaneity rule. Note that this is an all-or-nothing situation - as soon as you introduce one button to send a restricted action, you must ensure that all possible restricted actions (including buttons that were not added by your tool but by NationStates itself!) that can be performed from the current page follow the simultaneity rule.
If your tool wants to create its own pages, it can use https://www.nationstates.net/page=blank. This opens a blank page that includes the side and header bars, and your tool can inject its content into <div id="content"> within that. We expect that this URL will remain stable for the foreseeable future. Note that NationStates ignores any additional URL parameters for this page, so you can freely use those to distinguish between different pages of your tool; we recommend that you include the name of your script in the URL, for us to track it and for different tools not interfering with each other. For example, you could generate and use links to https://www.nationstates.net/page=blank ... t/settings and https://www.nationstates.net/page=blank ... =something, and your tool then parses this URL (window.location.href in Javascript) to display the appropriate page to the user.
Handling Simultaneity
Specifically in the context of a tool that runs in the browser, special care has to be taken to follow the simultaneity rule. A proven method of doing this involves disabling all form buttons in the button onclick handler, and reenabling them when the request has completed. The correct time depends on how your tool operates:
- If your tool lets the browser handle the form submission, don't reenable buttons at all, since a full page load will be initiated.
- When using XMLHttpRequest, either the loadend callback can be used, or the readystatechange callback with readyState == 4 (DONE).
- When using jQuery, the complete callback function passed to jQuery.ajax or jQuery.post is called at the correct time and can be used to re-enable buttons.
- When using Fetch API, buttons can be re-enabled once the Promise returned from one of the Response object's methods (such as text()) is resolved.
- For other methods, consult the corresponding documentation to know when an issued request is fully completed.
To disable/enable form buttons, the following snippets (using jQuery) can be used.
- Code: Select all
$('form input[type="submit"], form button').attr("disabled", true).addClass("disabledForSimultaneity");
- Code: Select all
$('.disabledForSimultaneity').removeAttr("disabled").removeClass("disabledForSimultaneity");
Miscellaneous
It is illegal to distribute a tool that breaks game rules when used in its primary, default, or intended manner. For details on how we deal with tools that violate these rules, see this post.
Rate limits and simultaneity handling apply to a tool only within its operating domain and the confines of its possibilities. For example, a Greasemonkey script, a browser extension with only a content script, or a user stylesheet only operate within one tab and can't worry about following simultaneity or the rate limit in other tabs. Similarly, a browser extension (with a background script) has access to multiple tabs and needs to ensure that the rate limit is followed across all tabs it operates in; it cannot (and need not) concern itself with tabs in other browsers, or tabs in the same browser it does not have access to through security measures in the browser. Standalone tools aren't responsible for what other unrelated tools do on the same computer. Users of your tool should be made aware that taking advantage of this (for example, by running your otherwise legal auto-refreshing tool in 100 browser tabs, or starting a standalone scraper tool 100 times) may lead to punishment.
Tools may generate any clickable links to NationStates that a user could also type into the address bar manually, so long as the crafted URL is not presented in a way that deceives the user, and clicking it would not otherwise violate the site rules or the terms of service. For example, crafting a URL that shows nation statistics that can't be reached through clicking on the site is fine; crafting a URL that is known to be slow to DDoS the site, or a URL that spams an RMB is not fine; and if you send a URL to resign from the World Assembly to a Delegate and pass it off as "hey, click this to see my puppy dispatch", you can expect very harsh punishment.
There is no guarantee that any URLs not explicitly specified here will remain stable or accessible.
NationStates offers an API, which provides a faster, more efficient interface for many scripts. It is governed by its own rules; these Script Rules don't apply to any API request. It is a much more bot-friendly environment, with far higher rate limits, and there are some things that can only be legally done via the API. You should, if at all possible, choose the API over the regular HTML site.
