> is the assumption about the scope of "using the standard DOM APIs" incorrect? What is the range of Web APIs that a content script can use in a secure context? I think "DOM APIs" is just colloquially referring to all web apis. Content scripts run in the context of the web page, and can therefore access all the same [Web APIs](https://developer.mozilla.org/en-US/docs/Web/API) that page scripts can, and then a little bit more, depending on the browser. > Is getCoalescedEvents the only method usable in a non-secure context? The limiting of getCoalescedEvents to secure contexts is a spec change that happened a while ago and is currently in the process of being implemented in Firefox and Chrome. This change, which is currently only enabled in Nightly, resulted in breakage in some important extensions, so it was decided that content scripts will always have access to getCoalescedEvents regardless of secureness. At this point, getCoalescedEvents is the only [SecureContext]-only web api that is always available to webextension content scripts.
Bug 1870498 Comment 14 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
> is the assumption about the scope of "using the standard DOM APIs" incorrect? What is the range of Web APIs that a content script can use in a secure context? I think "DOM APIs" is just colloquially referring to all web apis. Content scripts run in the context of the web page, and can therefore access all the same [Web APIs](https://developer.mozilla.org/en-US/docs/Web/API) that page scripts can, and then a little bit more, depending on the browser. > Is getCoalescedEvents the only method usable in a non-secure context? The limiting of getCoalescedEvents to secure contexts is a spec change that happened a while ago and is currently in the process of being implemented in Firefox and Chrome. This change, which is currently only enabled in Nightly, resulted in breakage in some important extensions, so it was decided that content scripts will always have access to getCoalescedEvents regardless of secureness. At this point, getCoalescedEvents is the only [SecureContext] web api that is always available to webextension content scripts even if the page is not secure.