Conversation
…xtension:` documents
github-actions
Bot
added
Content:Firefox
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
| You must have the permission for the page's URL either explicitly, as a [host permission](/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/permissions#host_permissions), or using the [activeTab permission](/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/permissions#activetab_permission). Note that some special pages do not allow this permission, including reader view, view-source, and PDF viewer pages. | ||
|
|
||
| You can also inject code into pages packaged with your own extension: | ||
| You _cannot_ inject code into: |
There was a problem hiding this comment.
Please remove the enumeration and just state that content scripts cannot be run in extension documents. If an extension wants to dynamically run code, they could register a runtime.onMessage listener and send a message there instead. Please linkify the runtime.onMessage API, which itself also provides pointers to relevant APIs: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/runtime/onMessage
Co-authored-by: Rob Wu <rob@robwu.nl>
Co-authored-by: Rob Wu <rob@robwu.nl>
Co-authored-by: Rob Wu <rob@robwu.nl>
Co-authored-by: Rob Wu <rob@robwu.nl>
Rob--W
left a comment
Rob--W
left a comment
There was a problem hiding this comment.
Please read the review feedback and merge after applying it. If in doubt, please ping me for another review.
We now also link to runtime.onMessage, but "the example use cases" do not include the specific case here. Please add a bullet point listing this use case:
"in an extension document in a tab to listen for messages from the background script or anywhere else"
This use case is already pointed to in tabs.sendMessage as "extension pages/iframes that belong to the extension and are running in the specified tab."
| You _cannot_ inject code into any of the browser's built-in pages, such as `about:debugging`, or `about:addons`, or the page that opens when you open a new empty tab. | ||
|
|
There was a problem hiding this comment.
| You _cannot_ inject code into any of the browser's built-in pages, such as `about:debugging`, or `about:addons`, or the page that opens when you open a new empty tab. |
The last part of the previous paragraph already explains that certain pages cannot be scripted, so I am suggesting to drop this (repetitive) part.
|
|
||
| <!-- ### Removals --> | ||
|
|
||
| The ability of extensions to dynamically execute code in their `moz-extension:` documents with {{WebExtAPIRef("tabs.executeScript")}}, {{WebExtAPIRef("tabs.insertCSS")}}, {{WebExtAPIRef("tabs.removeCSS")}}, {{WebExtAPIRef("scripting.executeScript")}}, {{WebExtAPIRef("scripting.insertCSS")}}, and {{WebExtAPIRef("scripting.removeCSS")}} is deprecated. The feature is no longer available in Firefox Nightly, and the beta and release versions of Firefox provide a warning in the tab's console. This restriction will apply to all versions of Firefox 152 and later. ({{bug(2011234)}}) |
There was a problem hiding this comment.
I wonder whether we should explicitly recommend or link to alternatives from here, in case it is not obvious. E.g. referring to runtime.onMessage as an alternative for most cases.
Co-authored-by: Rob Wu <rob@robwu.nl>
|
@Rob--W unfortunately, I can't figure out what your intention was with the comment about "Please add a bullet point listing this use case". Can you clarify? The other changes have been made. Note, I've modified the wording in the "Extensions cannot run content scripts in extension documents." paragraph, as I wasn't sure it was entirely clear. I've also added this paragraph to |
Rob--W
left a comment
Rob--W
left a comment
There was a problem hiding this comment.
@Rob--W unfortunately, I can't figure out what your intention was with the comment about "Please add a bullet point listing this use case". Can you clarify?
The onMessage documentation (https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/runtime/onMessage) has a bullet list of use cases. I am requesting to explicitly list the use case that we are now prominently mentioning (as an alternative to the deprecated executeScript usage).
I've also added this paragraph to
scripting/executeScript(was this what your comment about the bullet point referred to?)
That is not what I was referring to, but as tabs.executeScript and scripting.executeScript have the same capabilities, it makes sense to include the same information there, so I am okay with keeping the same text there.
| Using methods (1) and (2), you can only load scripts into pages whose URLs can be represented using a [match pattern](/en-US/docs/Mozilla/Add-ons/WebExtensions/Match_patterns). | ||
|
|
||
| Using method (3), you can also load scripts into pages packaged with your extension, but you can't load scripts into privileged browser pages (like `about:debugging` or `about:addons`). | ||
| Using method (3), you cannot load scripts into pages packaged with your extension, privileged browser UI pages (such as `about:debugging`, `about:addons`, reader view, view-source, or the PDF viewer). |
There was a problem hiding this comment.
This text now contains the correction I suggested before, but the other part of my feedback below the suggested text has not been applied. Could you read my previous review at #43108 (comment) and apply the full suggestion?
|
@Rob--W sorry for the slow uptake on your feedback. Hopefully, everything is done now. |
Rob--W
left a comment
Rob--W
left a comment
There was a problem hiding this comment.
Approved with the changes applied. Please check for typos before merging.
|
|
||
| ### Limitations | ||
|
|
||
| Whole tabs or frames may be loaded using [`data:` URI](/en-US/docs/Web/URI/Reference/Schemes/data), {{DOMxRef("URL.createObjectURL_static", "Blob")}} objects, and other similar techniques. Support of content scripts injection into such special documents varies across browsers, see the Firefox [bug #1411641 comment 41](https://bugzil.la/1411641#c41) for some details. |
There was a problem hiding this comment.
Deleted the whole section because it is obsolete. I merged the content with the new section.
| ### Limitations | |
| Whole tabs or frames may be loaded using [`data:` URI](/en-US/docs/Web/URI/Reference/Schemes/data), {{DOMxRef("URL.createObjectURL_static", "Blob")}} objects, and other similar techniques. Support of content scripts injection into such special documents varies across browsers, see the Firefox [bug #1411641 comment 41](https://bugzil.la/1411641#c41) for some details. |
Co-authored-by: Rob Wu <rob@robwu.nl>
|
|
||
| If an extension wants to run code in an extension page dynamically, it can include a script in the page. This script contains the code to run and registers a {{WebExtAPIRef("runtime.onMessage")}} listener that implements a way to execute the code. The extension can then send a message to the listener to trigger the code's execution. | ||
|
|
||
| ### Limitations |
There was a problem hiding this comment.
[markdownlint] reported by reviewdog 🐶
error MD024/no-duplicate-heading Multiple headings with the same content [Context: "Limitations"]
rebloor
deleted the
Bug-2011234-remove-ability-to-dynamically-execute-code-in-their-moz-extension-documents-with-tabs-and-scripting.executeScript
branch
…xtension:` documents (mdn#43108) * Bug-2011234: remove the ability to dynamically execute code in `moz-extension:` documents * Apply suggestions from linter Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * Apply suggestions from review Co-authored-by: Rob Wu <rob@robwu.nl> * Apply suggestions from review Co-authored-by: Rob Wu <rob@robwu.nl> * Apply suggestion from @Rob--W Co-authored-by: Rob Wu <rob@robwu.nl> * Apply suggestion from @Rob--W Co-authored-by: Rob Wu <rob@robwu.nl> * Further clarifications of dynamic code execution in extension documents * Apply suggestions from review Co-authored-by: Rob Wu <rob@robwu.nl> * Further feedback related changes * typo * Further feedback changes * Apply suggestions from @Rob--W review Co-authored-by: Rob Wu <rob@robwu.nl> * Minor corrections * Reapply deletion --------- Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Rob Wu <rob@robwu.nl>
3 participants
Description
Addresses the dev-docs-needed requirements of Bug 2011234 Extensions can dynamically execute code in their moz-extension: documents with tabs/scripting.executeScript by:
permissionsandhost_permissionsmanifest keys.tab.executeScript.Although this change also applies to
tabs.insertCSS,tabs.removeCSS,scripting.executeScript,scripting.insertCSS, andscripting.removeCSS, no explicit reference to the feature was made in those methods. No documentation changes were made, as the default expectation is that a web page canfetch()in its own URLs, which also applies to extension documents.