-
Notifications
You must be signed in to change notification settings - Fork 56
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add userScripts.execute() API proposal #540
Conversation
What would be the function's arguments? |
Hopefully you don't mind me posting the answers to these questions which I found while researching the PR as it's something I'll use in my extensions as well: affected by the CSP of the target page?chrome.userScripts.register runs code in the MAIN world despite github.com's argumentsIt's
|
Thanks @Getfree for taking a look at the proposal. And special thanks to @tophf for providing answers. These are mostly correct, but I am expanding them more:
Yes, injection has a User Script API
No. By default in run at
Depends on the world it's injected to. User script can be registered/executed in the @tophf , not sure I follow your answer here. Extension can decide the world in which a script is registered. Script registered in
It runs on the global scope. |
I was referring to the existing problem in the currently used workaround for MV3 to run arbitrary code by creating a script element inside code that already runs in the MAIN world - this workaround didn't work with a strict CSP of the page. With the new userScripts API the code will run regardless of the CSP of the page (it still affects the artifacts created by this code). I think this is an important info that could be used for an explicit clarification in the documentation. |
Addressed @Rob--W comments: - Add errors property to InjectionResult - Nits Co-authored-by: Rob Wu <rob@robwu.nl>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LG; thanks, Emilia!
|
||
### Existing Workarounds | ||
|
||
Developers can utilize `userScripts.register()` to inject JavaScript into a known set of hosts, but this doesn't cover the case of programmatic injections to a specific target or one-time injections. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
They can also use scripting.executeScript()
today, but that doesn't allow for remotely-hosted code.
|
||
### Add func to `ScriptSource` | ||
|
||
Add `func` and `args` property to `ScriptSource` to specify a JavaScript function to inject. This could be used both by `userScripts.register()` and `userScripts.execute()`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's worth highlighting that this isn't as useful in this context, since the extension can trivially construct a string that enables this same functionality. Additionally, if the extension is using func + args, it isn't using remotely-hosted code, and could also use scripting.executeScript()
. The only case it would need to use this in that scenario would be to inject in the user script world.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
...also when Chrome makes args
use the structured clone algorithm.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep, that's a reasonable point, too
This PR has been approved and is ready to merge (I don't have the power to do so :) ) |
SHA: 1d3d2ad Reason: push, by xeenon Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
SHA: 1d3d2ad Reason: push, by xeenon Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
I filed https://bugzilla.mozilla.org/show_bug.cgi?id=1930776 to track the implementation of this in Firefox. Is there any Chromium bug for this? |
|
Proposal for adding
<browser>.userScripts.execute()
API to allow extensions to inject user scripts programmatically into web contents.