-
Notifications
You must be signed in to change notification settings - Fork 56
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Proposal: userScripts.execute() method #477
Comments
Firefox only userScripts in MV2 is replaced by scripting API in MV3 which has scripting.executeScript() method. It is my understanding that the ability to pass a |
Is this confirmed? I was under the impression that they deliberately stripped away that parameter to prevent the execution of remote code. |
Although, I don't see It would be good to mention it in the user scripts proposal. FootnoteWhile the User Scripts API mentions
There will be an additional 'USER_SCRIPT' option in the
|
For Chromium, the getScripts, register, unregister, and update methods have been implemented under the userScripts namespace. |
Preface: I am focusing the discussion to the userScripts API, not the scripting API, given their separate use cases. What is the request here? The ability to run arbitrary code through the For the latter, rather than a |
Use case is for extensions where users can execute user-supplied code through gestures, shortcut keys, etc. You can never predict when, or where the user will trigger the gesture, or shortcut, so it's not possible to bind it to a specific URL. I think userScripts.execute() is the right approach here. To avoid issue #8, the userScripts.execute() function could take a documentId, and that way the developer can execute on a specific document. Since MessageSender includes documentId, the flow is straightforward. // content script where gesture, shortcut, voice command, etc is triggered.
browser.runtime.sendMessage({action: "ExecuteUserScript", id: "foo"})
// background
function onMessage(msg, sender, sendResponse) {
if (msg.action === "ExecuteUserScript") {
const code = await getUserScriptFromStorage(msg.id)
userScripts.execute({code, documentId: sender.documentId})
}
} |
What is the difference? Both are almost same to me. An extension user wants to create his/her own script(arbitrary code, also as a new user script) to be executed in the context of the extension(could be a user script manager) on document loaded. |
I'd like to highlight a use case where something like Powerlet is an interface to search and execute scripts from bookmarklets. The user will click the extension button or use a keyboard shortcut to activate the extension popup, search from there and execute a particular script. This is equivalent to clicking on a bookmark button on the browser's bookmarks toolbar. The project has an issue mentioning migration to MV3. I've been experimenting with MV3, it might be my lack of experience but I don't see a way to support similar extensions with the current I believe that the It'd be nice to continue being able to extend the browser like that, I see this no less secure than running scripts on page load, even less intrusive IMO. |
@oliverdunk Any chance we get this before Chrome's MV2 deadline in June? Many MV2 Chrome extensions have features that require this API. Current options for extensions that require this API.
|
@newRoland, as you mention there is a wrapped userScript approach which should be sufficient as a workaround here. With that in mind, we're not considering this a blocker, and would suggest using the workaround for migration in the short term. There's definitely still a chance a way of doing one-time injection lands in time, since we're planning to do further work on the userScripts API over the next few months, I just can't make any promises :) |
FYI: @EmiliaPaz has filed a PR with a proposal at #540 |
PR #540 has been approved. |
(updated supportive labels - Chrome plans to work on this in 2025Q1 and Firefox tracks the work at https://bugzilla.mozilla.org/show_bug.cgi?id=1930776) @EmiliaPaz While I was taking a closer look at For comparison:
If the use case is simulating execution of user scripts, then it may make sense to accept an array of On the other hand, an extension wishing to execute more than one script could always call I'm about to start the implementation of |
IMHO,
Often user-script managers have to inject multiple scripts together (e.g. from |
re: https://github.com/w3c/webextensions/blob/main/proposals/user-scripts-execute-api.md
I would suggest precedence instead of rejection. e.g.
|
This suggested behavior does not look appealing to me. I would not replace the "reject invalid input" with "ignore some properties when invalid". Rejecting allows extension authors to detect invalid input, and allows the API to be expanded to consider not rejecting in the future. For example, a potentially valid use of "allFrames: true, frameIds: [1, 3]` could be to to run in frames 1 and 3 and their sub frames. |
It was only a suggestion. However, for better context .....
The property is not invalid. One property simply is a sub-set of another. Property A means all, while property B means some. Property A has a wider implication than property B. Overriding one property when another property is used, and/or implying precedence is nothing new. It is quite the established M.O. in CSS. The commonly used Matching URL patterns is an example where
Setting excludes that completely override includes is common when setting global excludes in extensions. |
Updated as discussed in w3c#477 (comment)
The user-scripts proposal mentions this as a potential future enhancement, nevertheless, I'm creating a formal proposal so that it can be discussed and tracked.
Context
The userScripts API addresses a significant gap that MV3 created for extensions that need to execute user-supplied JavaScript. Nonetheless, a gap persists for userscripts not driven by URLs. Many extensions activate userscripts through varied methods including gestures, keyboard shortcuts, context menus, voice, and more.
Issue was first mentioned by @Robbendebiene.
Proposal
A method to execute user-supplied javascript on the fly.
browser.userScripts.execute({code: "", world, allFrames, etc})
Security Considerations
The current User Scripts proposal already allows this capability. The extension can register the user script to run on all domains, and call a wrapped userscript on demand. For example, when the user triggers a gesture. This is inefficient and it would be harmful to users if developers had to resort to that.
A few extensions that would need this.
Cr×Mouse Chrome™ Gestures
Vimium [1]
AutoHotkey
modern scroll
Script Runner Pro
Foxy Gestures
Gesturefy
smartUp Gestures
Tampermonkey, Violentmonkey (edge cases like RegExp)
Surfingkeys [1]
Automa [1]
The text was updated successfully, but these errors were encountered: