Is there a legit way to create an unprivileged non-xrayed script in a webpage context in a jetpacked extension?

18 views
Skip to first unread message

Angly Cat

unread,
Nov 30, 2015, 11:58:31 AM11/30/15
to mozilla-labs-jetpack
I'm developing a jetpacked add-on for a specific site. My scripts need to access a webpage scripts (via window object) and vice versa (for debugging my scripts on that certain webpages using developer console in a webpage context, so add-on debugging console won't do since it doesn't have access to webpages).

I tried using Content Scripts (the ones that loads using ContentScriptFile of sdk/page-mod or sdk/tabs), with window.wrappedJSObject but they are privileged, so they get XRayed.

I tried to use Services.scriptloader.loadSubScript in Content Script, but the only way to get Services I've found is

const { Cu } = require("chrome");
let
Services = Cu.import("resource://gre/modules/Services.jsm");

but Content Scripts not having 'require' it doesn't work, so I don't know if it's suitable for my case.

The easiest way I can think of to achieve my goals is just to create <script>-tags on pages with my scripts as src, but AMO signing autovalidator says that <script>-tags are dangerous and shows me this link, which doesn't have an answer to my question.

So, is there a legit way to create an unprivileged non-xrayed script in a webpage context in a jetpacked extension?

Angly Cat

unread,
Nov 30, 2015, 12:09:36 PM11/30/15
to mozilla-la...@googlegroups.com


On Monday, November 30, 2015 at 10:58:31 PM UTC+6, Angly Cat wrote:
I tried using Content Scripts (the ones that loads using ContentScriptFile of sdk/page-mod or sdk/tabs), with window.wrappedJSObject but they are privileged, so they get XRayed.

Actually, I've made it to do what I want.

I used

{
 
// ...
 
"permissions": {
   
"unsafe-content-script": true,
   
// ...
 
}
}
in my add-on's package.json, so my privileged Content Scripts could access webpage scripts.

And I created my objects this way:
var main_object = createObjectIn(window.wrappedJSObject),
    sub_object = createObjectIn(main_object, {defineAs: "sub_object"});

So these objects' methods could be accessed in developer console.

But AFAIK, "unsafe-content-script" flag is deprecated, and this way doesn't look as the right (and straightforward) way to do what I need.
Reply all
Reply to author
Forward
0 new messages