Skip to content
This repository

(Default) mode to execute scripts in the content scope #1427

Closed
arantius opened this Issue September 23, 2011 · 7 comments

1 participant

arantius
arantius
Collaborator

This issue is to track and discuss issues that arise if we run scripts in the content scope. To begin with:

  • Do we wrap scripts in an anonymous function, to provide a namespace isolated from the page?
  • How do we handle @requires?
  • How do we actually perform injection / execution?
arantius
Collaborator

My gut tells me that method of execution should be via some sort of custom protocol handler ( https://developer.mozilla.org/En/NsIProtocolHandler ), guaranteeing that the appropriate URL will be outside the same-origin to any page (thus the script content is unreadable to the page). Then injection is just adding a <script> node with the proper custom-protocol URL. Our protocol handler then knows how to glue the script and any requires together into an appropriate response for javascript execution.

Perhaps @resources can also then be referred to by a URL served by this protocol.

arantius
Collaborator

I've also started thinking more recently that perhaps in the case of @grant none we still run just the same (evalInSandbox) but we just use the un-wrapped content window for the prototype, and just don't inject anything. Need to investigate how well this approach works.

arantius arantius referenced this issue from a commit in arantius/greasemonkey May 22, 2012
arantius Enforce @grants or run un-wrapped, in case of none.
Refs #1427
41d0da5
arantius
Collaborator

As implemented in arantius@41d0da5 things seem to work as intended so far, but we definitely still get the file/line number confusion that we always have from the evalInSandbox(). A possible reason to re-implement as described in my first comment

arantius
Collaborator

I've tried the protocol handler route. It only half works. It's implemented; opening the appropriate URL via the URL bar shows the expected contents. But putting a

arantius
Collaborator

Correction: all but the last script does run. The last one doesn't, and above I was only running one. Even more confusing.

arantius
Collaborator

Fixed the last-doesn't-run issue, the protocol handler's channel wasn't quite implemented right. But we need a DOM to inject the script node into -- and that doesn't exist yet at document-start.

The best solution I know of right now is to keep the protocol handler (still useful for referencing resources, maybe), but use it as the URL parameter to evalInSandbox(). That should make logged errors link to that generated file, rather than the eval call site, and make them slightly easier to grok.

arantius
Collaborator

Custom protocol handler stuff is implemented in https://github.com/arantius/greasemonkey/tree/pure-content -- but it's working poorly enough that I'm going to defer doing that at all and call this fixed. Fixed by 41d0da5 .

arantius arantius closed this June 15, 2012
arantius arantius referenced this issue from a commit June 22, 2012
Commit has since been removed from the repository and is no longer available.
arantius arantius referenced this issue from a commit in arantius/greasemonkey June 22, 2012
arantius Run "@grant none" scripts with a <script> tag in the document.
No eval, no sandbox at all!

Refs #1427
4c268d8
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.