Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How can my Add-on SDK content script interact with a website page script?

In my SDK add-on, I'd like to

  • call a function in a page script
  • export, read (get), write (set) or manipulate some variable or property in a page script
  • export a new function to or override an existing function in a page script
  • or post a custom event to a page that the page script can listen for.

How can my Add-on SDK content script communicate with a website?

like image 324
nmaier Avatar asked Oct 20 '22 06:10

nmaier


1 Answers

There are a multitude of ways to interact with page scripts, the most common of which are covered in the official documentation, including all of the ways listed in the question.

Please read "Interacting with page scripts".

However, it should be pointed out that interacting with page scripts in a secure fashion can be hard. Be particularly aware that unsafeWindow is called unsafe for a reason:

Be careful using unsafeWindow: you can't rely on any of its properties or functions being, or doing, what you expect. Any of them, even setters and getters, could have been redefined by a page script. Don't use it unless you trust the page, and even then be careful.

Also, unsafeWindow isn't a supported API, so it could be removed or changed in a future version of the SDK.

Reading data from or executing functions of unsafeWindow is safe in the sense that it cannot directly lead to code execution in another (your content script) security context. The Javascript engine compartments will make sure of that.

But it is very true that you must never trust data coming from a website. Always expect code to throw, Denial-of-service you with unexpected infinite loops or similar. And never ever explicitly or implicitly evaluate code in the context of your content script.

Also, never think you can actually trust a website, even it it is your own website. Websites can be compromised (hacked), owners can change in the future, the data could be changed en route (active Man-In-The-Middle attacks), or another add-on could have modified it, etc.

like image 68
2 revs Avatar answered Oct 23 '22 03:10

2 revs