New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Moved user-script detection to background scripts #2719
Moved user-script detection to background scripts #2719
Conversation
This is missing mime type detection, necessary for things like not breaking browsing to the UI view of a script that is stored in e.g. GitHub. Also, what happens if the server is slow to respond? What if it's a big script, and it takes much longer to load the whole thing than just the metadata which we strictly need? |
I'll have to look at what can be done about extracting the mime type.
I'm not sure I understand the concern. With the current method the script is fetched and downloaded, the content script runs, and then we get the install dialog. The whole script has to be loaded anyway. |
Exactly. There could be a very long delay between clicking the link and seeing anything happen.
But it doesn't have to be loaded now, while the user waits with no feedback. Look at how 3.x acted. It stops as soon as it has the metadata, pops the install dialog, then starts the actual download of the script and all resources, while the user can read the dialog and decide what to do. |
From what I understand of the 3.x code flow, this is what happens.
At the moment I feel doing significant changes to the install workflow (from the current WebExtension version) is out of the scope of this particular pull request, and should be addressed in followup commits. [1] There're stubs for what looks like downloading just enough for the metablock but it doesn't seem to be implemented. |
I used to have a public demo of this but it's broken so launch this: https://gist.github.com/arantius/3b493cb7ae6aad92d6c93881c14f1c4f with GM 3.x installed. Browse to http://localhost:8000/ and you'll see it take ~10 seconds to load. Browse to http://localhost:8000/slow.user.js and you'll see that it takes about 2 seconds to pop the install dialog (which then continues for another ~8 to complete the download). GM 4.x definitely does not do this today (Firefox does some funny buffering of the entire document before it displays any of it, and we don't run until that point anyway). But that's because 4.x was the simplest hack I could throw together that would work at all. We should be heading in this direction (UI feedback as soon as possible), not away from it. |
Added in recent commit.
Added in recent commit. However, still using the full tab for the install message. But, it can be easily switched over when the dialog windows are working. Which, they seem to be working[1] fine in FF 59. Not sure about 57-58. [1] Title prefix is still semi-broken. |
Oh, I failed to mention that this doesn't affect the current installation flow. That should probably be done in a followup. |
1c3be73
to
44925a8
Compare
The changes made in this branch partially put us toward the 3.x functionality. If this gets merged I have some additional commits that'll bring the download and install much closer to 3.x. Key points on what I have.
I could push these changes to this branch, but it's kind of a lot (all having to deal with the same thing though). Note, there are no progress indicators / bars. I used |
909b0b8
to
2c47caf
Compare
ca43699
to
382b5a4
Compare
Rebased to deal with #2641. Also includes a small fix to cause the page to close after clicking install. |
382b5a4
to
3c00f70
Compare
@@ -9,7 +9,7 @@ | |||
"applications": { | |||
"gecko": { | |||
"id": "{e4a8a97b-f2ed-450b-b12d-ee082ba24781}", | |||
"strict_min_version": "52.0" | |||
"strict_min_version": "57.0" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
src/bg/on-message.js
Outdated
if (message.name == 'OpenInstallDialog') { | ||
// No-op; content can legitimately ask for the dialog to be opened. | ||
} else if ( | ||
if ( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should be one line now.
src/bg/user-script-detect.js
Outdated
@@ -0,0 +1,103 @@ | |||
/* | |||
Add listeners to detecting user scripts and opening the installation |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This form:
/* Add listeners to detect user scripts and open the installation dialog. */
Is better grammar and fits on one line.
src/bg/user-script-detect.js
Outdated
dialog. | ||
*/ | ||
|
||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why two blank lines here?
src/bg/user-script-detect.js
Outdated
// Examine headers before determining if script checking is needed | ||
function checkHeaders(responseHeaders) { | ||
for (header of responseHeaders) { | ||
if ('Content-Type' === header.name && userScriptTypes.has(header.value)) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These should be case-insensitive matches, as the server is not guaranteed to provide any particular case for these values. (Just tested, when I send all-lower values, the header name is exactly "content-type" here.)
chrome.windows.getCurrent(null, win => { | ||
chrome.windows.remove(win.id); | ||
chrome.tabs.getCurrent(curTab => { | ||
chrome.tabs.remove(curTab.id); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- Why?
- Desktop vs. Android?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Using tabs works on both devices. Android needs to use tabs since it doesn't have windows. On desktop since the installer is opened using a dialog the window is considered a single tab window. When that tab is removed so is the window.
My test server delivers:
Which this fails to match, the install dialog does not pop. |
Ideally this would act like 3.x, if the load is detected as a script, abort and never show the navigation. If necessary, always abort (pause?), and when detected not a script, re-start (unpause?). Right now after patching, I'm seeing both the install dialog pop and the browser navigate to the script. |
It was so that users could see the source before installing. As mentioned in another issue you talked about the possibility for a malicious server to send different content on the second request that GM currently uses to fetch and save a script. While that concern is valid, it's also somewhat moot, at this moment, due to GM still not having a way to install scripts in a disabled state. Furthermore, a followup PR that I'd like to submit would resolve the above issue anyway, as it reworks the script download / installation so that a secondary request isn't required, among other things (background / async). I can look into modifying this PR so that it reflects the abort / navigation redirect that 3.x does. But I don't think, in the longer term, it should remain like that. |
Ah, I don't believe I address #2643 in this PR. Should be an easy fix to add a check at the top of the main function call. |
Attempting to implement the 3.x behavior and I've hit a problem. With a However, we now have a problem. The user is then presented with a blank page, or a page with a partially downloaded script if I can get the tab that the script request belongs to but unfortunately, as far as I can see, there's no I also attempted to do a If this is absolutely necessary, then I'm stumped. Maybe someone else has some ideas? |
d5beb92
to
8143de5
Compare
8143de5
to
7790d90
Compare
I'd still prefer that clicking a link on a script pops the install dialog and otherwise leaves the browser unchanged, like 3.x. But this fixes installs from sites with CSP like GitHub and also #2643 both of which are good. I'm merging it, we can figure out more improvements in the future.
I'd also like to see progress bars come back. |
No, the idea was to switch our code to Promise-y |
I made these changes in preparation for some other things I was testings some time ago, but I recently found out that moving script detection to the background can help bypass some of the current CSP issues Greasemonkey is having with installing scripts.
Per #2631, script detection fails for CSP hosts. With this change scripts are properly detect.
Some things to note.
browser
API with promises #2560?)