Closed Bug 1423966 Opened 7 years ago Closed 6 years ago

Add API-Control to tabs.executeScript()


(WebExtensions :: General, enhancement, P5)

58 Branch


(Not tracked)



(Reporter: eros_uk, Unassigned)


User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Build ID: 20171115220414

Steps to reproduce:

I believe a little API addition can have a GREAT impact on the security (and simplicity, performance) of user content scripts where script is not controlled by the add-on. 

A prime example would be GreaseMonkey type scripts but there are other instances where user can enter script to be parsed by the add-on.

Currently, Content scripts in addition to being in the page content scope, have access to some or all APIs in extension, runtime, i18n & storage.

For example, an added "permissions" property to details, which defaults to all ie normal

var executing = browser.tabs.executeScript({
  file: "/content-script.js",
  allFrames: true,
  permission: ['extension', 'runtime', 'i18n', 'storage']

Or even just a blocking property eg:

var executing = browser.tabs.executeScript({
  file: "/content-script.js",
  allFrames: true,
  sandboxed: true // no API access

Actual results:
Hi erosman,
we like the idea of optionally sandboxing the content scripts and we were evaluating something similar.

In the meantime I'm moving this issue into a different bugzilla component (it doesn't seem something that belongs to "WebExtensions: Developer Tools")
Severity: normal → enhancement
Component: WebExtensions: Developer Tools → WebExtensions: General
Ever confirmed: true
Priority: -- → P5
Product: Toolkit → WebExtensions
Has there been any development on this issue?
Flags: needinfo?(lgreco)
(In reply to erosman from comment #2)
> Has there been any development on this issue?

Yes, we are working on a type of scripts that are sandboxed and isolated from the APIs available to the rest of the extension as part of the userScripts API (Bug 1437098).

The proposal as it was described in comment 0 isn't unfortunately a viable option, because all the extension content scripts
(the one registered from the manifest, as well as the one registered at runtime using contentScripts.register and the code injected using tabs.executeScript) are all going to be executed in the same sandbox (1 per matched window global), and the APIs are actually made available to the content scripts by injecting them into the shared "content scripts" sandbox, and not to just a particular js url or js string.

I'm marking this bug as a dupe of the userScript meta (Bug 1437098), because it is the feature that we are actually working on to allow an extension to control if and which APIs should be available to third-party scripts executed by that extension in the content processes.
Closed: 6 years ago
Flags: needinfo?(lgreco)
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.