Add userScripts.execute() API proposal #540
Conversation
|
What would be the function's arguments? |
|
Hopefully you don't mind me posting the answers to these questions which I found while researching the PR as it's something I'll use in my extensions as well: affected by the CSP of the target page?chrome.userScripts.register runs code in the MAIN world despite github.com's argumentsIt's
|
|
Thanks @Getfree for taking a look at the proposal. And special thanks to @tophf for providing answers. These are mostly correct, but I am expanding them more:
Yes, injection has a User Script API
No. By default in run at
Depends on the world it's injected to. User script can be registered/executed in the @tophf , not sure I follow your answer here. Extension can decide the world in which a script is registered. Script registered in
It runs on the global scope. |
I was referring to the existing problem in the currently used workaround for MV3 to run arbitrary code by creating a script element inside code that already runs in the MAIN world - this workaround didn't work with a strict CSP of the page. With the new userScripts API the code will run regardless of the CSP of the page (it still affects the artifacts created by this code). I think this is an important info that could be used for an explicit clarification in the documentation. |
Addressed @Rob--W comments: - Add errors property to InjectionResult - Nits Co-authored-by: Rob Wu <rob@robwu.nl>
|
|
||
| ### Existing Workarounds | ||
|
|
||
| Developers can utilize `userScripts.register()` to inject JavaScript into a known set of hosts, but this doesn't cover the case of programmatic injections to a specific target or one-time injections. |
There was a problem hiding this comment.
They can also use scripting.executeScript() today, but that doesn't allow for remotely-hosted code.
|
|
||
| ### Add func to `ScriptSource` | ||
|
|
||
| Add `func` and `args` property to `ScriptSource` to specify a JavaScript function to inject. This could be used both by `userScripts.register()` and `userScripts.execute()`. |
There was a problem hiding this comment.
It's worth highlighting that this isn't as useful in this context, since the extension can trivially construct a string that enables this same functionality. Additionally, if the extension is using func + args, it isn't using remotely-hosted code, and could also use scripting.executeScript(). The only case it would need to use this in that scenario would be to inject in the user script world.
There was a problem hiding this comment.
...also when Chrome makes args use the structured clone algorithm.
There was a problem hiding this comment.
Yep, that's a reasonable point, too
|
This PR has been approved and is ready to merge (I don't have the power to do so :) ) |
SHA: 1d3d2ad Reason: push, by xeenon Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
SHA: 1d3d2ad Reason: push, by xeenon Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Proposal for adding
<browser>.userScripts.execute()API to allow extensions to inject user scripts programmatically into web contents.