1875475 - [meta] Implement userScripts API in MV3

Status: NEW

(WebExtensions :: General, enhancement, P2)

Description

[Rob Wu [:robwu]]

This is about implementing the userScripts API, as designed in the WECG at https://github.com/w3c/webextensions/issues/279 .

Not to be confused with the current userScripts API in Firefox that is tied to the user_scripts key from bug 1437098. This older API called "userScripts" is MV2-only because its design is incompatible with non-persistent background pages. Additional notes about differences: https://github.com/mdn/browser-compat-data/issues/21922#issuecomment-1892148953

Comment 1

[Rob Wu [:robwu]]

Currently, the way that user script managers would use the API to run scripts in the main world is to use the userScripts API to have a world without scripts being restricted by the CSP. To enable that, we need to support the ability to exempt script nodes inserted by the "user script" world from the CSP (bug 1446231).

Comment 2

[Rob Wu [:robwu]]

The capability to directly run scripts in the MAIN world is part of bug 1736575.

Comment 3

[Rob Wu [:robwu]]

Before we can enable any implementation of the userScripts API by default, we need a way for users to opt in to userScripts functionality. We have a top-level generic bug on file for that at bug 1787179.

The implementation of the userScripts API can be sequenced as follows:

• MVP as specified in https://github.com/w3c/webextensions/blob/main/proposals/user-scripts-api.md
  • userScripts.register() and userScripts.unregister to register/unregister user scripts (MV3 API, not to be confused with MV2).
    • Note: we need to update the schema to make sure that the MV2 and MV3 APIs are separate (relying on bug 1892669).
    • To keep the initial patch simple, support injection in the MAIN world only (implemented in bug 1736575).
    • Persistency of scripts is a core part of the API, but we could start in-memory at first and implement persistency separately.
    • Except for the matches vs includeGlobs (OR instead of AND, and matches optional - (https://crbug.com/41483539)), the matching and execution behavior is the same as regular content scripts. Tests thus only need to verify that the script can be registered and that the options make sense.
  • userScripts.getScripts() to retrieve the set of registered scripts.
  • (if not implemented in the first part) Implement persistency of registered user scripts (i.e. should persist across restarts).
  • userScripts.update()
  • Add support for the USER_SCRIPT world (Sandbox, initially without any extra APIs, will change below with "messaging").
  • userScripts.configureWorld() to customize CSP of world.
  • userScripts.configureWorld messaging option to enable messaging with the user script world + runtime.onUserScriptMessage, runtime.onUserScriptConnect
• Multiple userScripts world as specified in https://github.com/w3c/webextensions/blob/main/proposals/multiple_user_script_worlds.md (Chrome is still actively working on this - https://crbug.com/331680187)
• userScripts.execute as specified in https://github.com/w3c/webextensions/blob/main/proposals/user-scripts-execute-api.md (Chrome has not implemented this yet)
• More additions:
  • E.g. re-ordering of user scripts (https://github.com/w3c/webextensions/issues/606)
  • Other feature requests: https://github.com/w3c/webextensions/issues?q=is%3Aopen+is%3Aissue+label%3A%22topic%3A+user+scripts%22

Comment 4

[Rob Wu [:robwu]]

To people who are following this bug: as called out before in comment 3, we want an opt-in before this feature can be enabled by default.

The implementation of the API is progressing and will be available for testing soon, behind a flag.

The opt-in will take form of an optional-only feature permission (bug 1917000). The UX is described at https://bugzilla.mozilla.org/show_bug.cgi?id=1917000#c1 (with screenshots in the comments that follow it). The implementation of this UX is tracked at bug 1931545 and bug 1931548 (desktop) and bug 1931554 and bug 1931556 (mobile).