I'm attempting to add a feature to my extension that will export a function to the content page. I need it to function even for inline scripts.
FireBug does this, with its console logging API. I've spent all day trying to decode how it works, and not gotten very far. Plus, its method seems very complex.
Is there a good way to inject a new function into the global window scope that a normal page sees from an extension? If not, is there a good example of the complicated way to do it, somewhere?
Anthony Lieuallen wrote: > I'm attempting to add a feature to my extension that will export a > function to the content page. I need it to function even for inline > scripts.
> FireBug does this, with its console logging API. I've spent all day > trying to decode how it works, and not gotten very far. Plus, its > method seems very complex.
> Is there a good way to inject a new function into the global window > scope that a normal page sees from an extension? If not, is there a > good example of the complicated way to do it, somewhere?
> Thanks!
The fact that it does it very complicatedly is because it's a huge security risk. Basically, you're doomed as soon as you access anything provided by content from a chrome-privileged function (because with getters and setters, even an assignment or function call can screw you over).
To my knowledge, there is no simple, safe, way to do what you ask. It'll always be messy.
On 2/6/07, Anthony Lieuallen <just...@example.com> wrote:
> I'm attempting to add a feature to my extension that will export a > function to the content page. I need it to function even for inline > scripts.
> FireBug does this, with its console logging API. I've spent all day > trying to decode how it works, and not gotten very far. Plus, its > method seems very complex.
> Is there a good way to inject a new function into the global window > scope that a normal page sees from an extension? If not, is there a > good example of the complicated way to do it, somewhere?
Why do you need this? Is the page under your control? Did you search for other threads about this?
> On 2/6/07, Anthony Lieuallen <just...@example.com> wrote: >> I'm attempting to add a feature to my extension that will export a >> function to the content page. I need it to function even for inline >> scripts. > Why do you need this? Is the page under your control? Did you search > for other threads about this?
I'm tired of "urchinTracker is not defind" or "OAS_RICH is not defined" errors showing up, because the script that defined them happened to be blocked, but the call to them is inline.
Yes, I searched, but the terms I use must not have been the terms that other people used, if this thread is out there already.
> Anthony Lieuallen wrote: >> I'm attempting to add a feature to my extension that will export a >> function to the content page. I need it to function even for inline >> scripts.
>> FireBug does this, with its console logging API. I've spent all day >> trying to decode how it works, and not gotten very far. Plus, its >> method seems very complex. > The fact that it does it very complicatedly is because it's a huge > security risk. Basically, you're doomed as soon as you access anything > provided by content from a chrome-privileged function (because with > getters and setters, even an assignment or function call can screw you > over).
I'm aware of the security concerns. (I'm a GreaseMonkey hacker, since before the big security release, and I watched that unfold.) The complicated-ness I refer to is the fact that FireBug:
1. Creates a <browser> in the overlay 2. with an XBL binding attached, 3. which sets a constructor, 4. which calls an initializer, 5. which adds a progress listener, 6. which calls a function, which adds another progress listener, 7. which calls another function, which finally injects an object into the content page.
Yes, the object uses closures for security, but at this point that's a trivial addition.
Are all these steps really necessary to get the "window has been created, page hasn't been loaded in yet" context?
On 2/6/07, Anthony Lieuallen <just...@example.com> wrote:
> On 2/5/2007 8:18 PM, Nickolay Ponomarev wrote: > > On 2/6/07, Anthony Lieuallen <just...@example.com> wrote: > >> I'm attempting to add a feature to my extension that will export a > >> function to the content page. I need it to function even for inline > >> scripts. > > Why do you need this? Is the page under your control? Did you search > > for other threads about this?
> I'm tired of "urchinTracker is not defind" or "OAS_RICH is not defined" > errors showing up, because the script that defined them happened to be > blocked, but the call to them is inline.
In that case you can do what nsSidebar does (it defines a global property 'sidebar' accessible from content).
> Yes, I searched, but the terms I use must not have been the terms that > other people used, if this thread is out there already.
OK, it's better to let the group know that you did in fact search the archives when you're asking a question. And if you found something that is not quite what you need, it's useful to mention that too.
> In that case you can do what nsSidebar does (it defines a global > property 'sidebar' accessible from content).
TYVM! That's just the nugget I needed, the keystone that has cracked open the floodgates. I've googled plenty of appropriate references from that starting point already.
> On 2/6/07, Anthony Lieuallen <just...@example.com> wrote: >> On 2/5/2007 8:18 PM, Nickolay Ponomarev wrote: >> > On 2/6/07, Anthony Lieuallen <just...@example.com> wrote: >> >> I'm attempting to add a feature to my extension that will export a >> >> function to the content page. >> > Why do you need this? Is the page under your control? Did you search >> > for other threads about this? >> I'm tired of "urchinTracker is not defind" or "OAS_RICH is not defined" >> errors showing up, because the script that defined them happened to be >> blocked, but the call to them is inline. > In that case you can do what nsSidebar does (it defines a global > property 'sidebar' accessible from content).
I've figured out how to do this properly, but it only places an object into the page's scope; I need a function to be injected there. I've just shifted "is not defined" to "is not a function" by doing this.
Is this just something that this method isn't going to support?
> On 2/6/2007 7:53 AM, Nickolay Ponomarev wrote: > > On 2/6/07, Anthony Lieuallen <just...@example.com> wrote: > >> On 2/5/2007 8:18 PM, Nickolay Ponomarev wrote: > >> > On 2/6/07, Anthony Lieuallen <just...@example.com> wrote: > >> >> I'm attempting to add a feature to my extension that will export a > >> >> function to the content page. > >> > Why do you need this? Is the page under your control? Did you search > >> > for other threads about this? > >> I'm tired of "urchinTracker is not defind" or "OAS_RICH is not defined" > >> errors showing up, because the script that defined them happened to be > >> blocked, but the call to them is inline. > > In that case you can do what nsSidebar does (it defines a global > > property 'sidebar' accessible from content).
> I've figured out how to do this properly, but it only places an object > into the page's scope; I need a function to be injected there. I've > just shifted "is not defined" to "is not a function" by doing this.
> Is this just something that this method isn't going to support?
I think so (there is a similar category for global constructors, but I don't think it will work). You could try something like this:
var s = new Components.utils.Sandbox(content); s.window = content; Components.utils.evalInSandbox("window.wrappedJSObject.test = function () { } ", s)
- at some point when the JS environment is initialized, but the scripts have not yet run. This creates a sandbox using the principal of the currently active content page (this part will need to be tweaked to support background loads as well), gives the sandbox access to the (wrapped) global object of the content page, then creates a function in the page's global object using the sandbox's principal.
FWIW, bzbarsky didn't immediately find a problem with this approach :)
On Feb 10, 8:46 pm, Anthony Lieuallen <just...@example.com> wrote:
> I've figured out how to do this properly, but it only places an object > into the page's scope; I need a function to be injected there. I've > just shifted "is not defined" to "is not a function" by doing this.
Hi,
I'm trying to inject a object into client windows. Could you publish how you managed to do this?
