This issue is to track and discuss issues that arise if we run scripts in the content scope. To begin with:
Perhaps @resources can also then be referred to by a URL served by this protocol.
I've also started thinking more recently that perhaps in the case of @grant none we still run just the same (evalInSandbox) but we just use the un-wrapped content window for the prototype, and just don't inject anything. Need to investigate how well this approach works.
Enforce @grants or run un-wrapped, in case of none.
As implemented in arantius@41d0da5 things seem to work as intended so far, but we definitely still get the file/line number confusion that we always have from the evalInSandbox(). A possible reason to re-implement as described in my first comment
I've tried the protocol handler route. It only half works. It's implemented; opening the appropriate URL via the URL bar shows the expected contents. But putting a <script> node in the page with src= that URL does not work. I don't know why yet.
Correction: all but the last script does run. The last one doesn't, and above I was only running one. Even more confusing.
Fixed the last-doesn't-run issue, the protocol handler's channel wasn't quite implemented right. But we need a DOM to inject the script node into -- and that doesn't exist yet at document-start.
The best solution I know of right now is to keep the protocol handler (still useful for referencing resources, maybe), but use it as the URL parameter to evalInSandbox(). That should make logged errors link to that generated file, rather than the eval call site, and make them slightly easier to grok.
Custom protocol handler stuff is implemented in https://github.com/arantius/greasemonkey/tree/pure-content -- but it's working poorly enough that I'm going to defer doing that at all and call this fixed. Fixed by 41d0da5 .
Run "@grant none" scripts with a <script> tag in the document.
No eval, no sandbox at all!