Is there a legit way to create an unprivileged non-xrayed script in a webpage context in a jetpacked extension?
18 views
Skip to first unread message
Angly Cat
Nov 30, 2015, 11:58:31 AM11/30/15
to mozilla-labs-jetpack
I'm developing a jetpacked add-on for a specific site. My scripts need to access a webpage scripts (via window object) and vice versa (for debugging my scripts on that certain webpages using developer console in a webpage context, so add-on debugging console won't do since it doesn't have access to webpages).
I tried using Content Scripts (the ones that loads using ContentScriptFile of sdk/page-mod or sdk/tabs), with window.wrappedJSObject but they are privileged, so they get XRayed.
I tried to use Services.scriptloader.loadSubScript in Content Script, but the only way to get Services I've found is
but Content Scripts not having 'require' it doesn't work, so I don't know if it's suitable for my case.
The easiest way I can think of to achieve my goals is just to create <script>-tags on pages with my scripts as src, but AMO signing autovalidator says that <script>-tags are dangerous and shows me this link, which doesn't have an answer to my question.
So, is there a legit way to create an unprivileged non-xrayed script in a webpage context in a jetpacked extension?
I tried using Content Scripts (the ones that loads using ContentScriptFile of sdk/page-mod or sdk/tabs), with window.wrappedJSObject but they are privileged, so they get XRayed.
I tried to use Services.scriptloader.loadSubScript in Content Script, but the only way to get Services I've found is
const { Cu } = require("chrome");
let Services = Cu.import("resource://gre/modules/Services.jsm");but Content Scripts not having 'require' it doesn't work, so I don't know if it's suitable for my case.
The easiest way I can think of to achieve my goals is just to create <script>-tags on pages with my scripts as src, but AMO signing autovalidator says that <script>-tags are dangerous and shows me this link, which doesn't have an answer to my question.
So, is there a legit way to create an unprivileged non-xrayed script in a webpage context in a jetpacked extension?
Angly Cat
Nov 30, 2015, 12:09:36 PM11/30/15
to mozilla-la...@googlegroups.com
On Monday, November 30, 2015 at 10:58:31 PM UTC+6, Angly Cat wrote:
I tried using Content Scripts (the ones that loads using ContentScriptFile of sdk/page-mod or sdk/tabs), with window.wrappedJSObject but they are privileged, so they get XRayed.
Actually, I've made it to do what I want.
I used
{
// ...
"permissions": {
"unsafe-content-script": true,
// ...
}
}And I created my objects this way:
var main_object = createObjectIn(window.wrappedJSObject),
sub_object = createObjectIn(main_object, {defineAs: "sub_object"});
So these objects' methods could be accessed in developer console.
But AFAIK, "unsafe-content-script" flag is deprecated, and this way doesn't look as the right (and straightforward) way to do what I need.
Reply all
Reply to author
Forward
0 new messages