FireBug does this, with its console logging API. I've spent all day
trying to decode how it works, and not gotten very far. Plus, its
method seems very complex.
Is there a good way to inject a new function into the global window
scope that a normal page sees from an extension? If not, is there a
good example of the complicated way to do it, somewhere?
Thanks!
The fact that it does it very complicatedly is because it's a huge
security risk. Basically, you're doomed as soon as you access anything
provided by content from a chrome-privileged function (because with
getters and setters, even an assignment or function call can screw you
over).
To my knowledge, there is no simple, safe, way to do what you ask. It'll
always be messy.
~ Gijs
Nickolay
I'm tired of "urchinTracker is not defind" or "OAS_RICH is not defined"
errors showing up, because the script that defined them happened to be
blocked, but the call to them is inline.
Yes, I searched, but the terms I use must not have been the terms that
other people used, if this thread is out there already.
I'm aware of the security concerns. (I'm a GreaseMonkey hacker, since
before the big security release, and I watched that unfold.) The
complicated-ness I refer to is the fact that FireBug:
1. Creates a <browser> in the overlay
2. with an XBL binding attached,
3. which sets a constructor,
4. which calls an initializer,
5. which adds a progress listener,
6. which calls a function, which adds another progress listener,
7. which calls another function, which finally injects an object into
the content page.
Yes, the object uses closures for security, but at this point that's a
trivial addition.
Are all these steps really necessary to get the "window has been
created, page hasn't been loaded in yet" context?
> Yes, I searched, but the terms I use must not have been the terms that
> other people used, if this thread is out there already.
OK, it's better to let the group know that you did in fact search the
archives when you're asking a question. And if you found something
that is not quite what you need, it's useful to mention that too.
Nickolay
TYVM! That's just the nugget I needed, the keystone that has cracked
open the floodgates. I've googled plenty of appropriate references from
that starting point already.
I've figured out how to do this properly, but it only places an object
into the page's scope; I need a function to be injected there. I've
just shifted "is not defined" to "is not a function" by doing this.
Is this just something that this method isn't going to support?
I think so (there is a similar category for global constructors, but I
don't think it will work). You could try something like this:
var s = new Components.utils.Sandbox(content);
s.window = content;
Components.utils.evalInSandbox("window.wrappedJSObject.test = function
() { } ", s)
- at some point when the JS environment is initialized, but the
scripts have not yet run. This creates a sandbox using the principal
of the currently active content page (this part will need to be
tweaked to support background loads as well), gives the sandbox access
to the (wrapped) global object of the content page, then creates a
function in the page's global object using the sandbox's principal.
FWIW, bzbarsky didn't immediately find a problem with this approach :)
Nickolay
Hi,
I'm trying to inject a object into client windows. Could you publish
how you managed to do this?
Cheers,
Bruce