Closed
Bug 979569
Opened 10 years ago
Closed 7 years ago
XHR Requests in content scripts require absolute URIs when cross_domain_content permission has been specified
Categories
(Add-on SDK Graveyard :: General, defect, P2)
Add-on SDK Graveyard
General
Tracking
(Not tracked)
RESOLVED
INCOMPLETE
People
(Reporter: btyler, Unassigned)
Details
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.117 Safari/537.36 Steps to reproduce: Minimal example: https://github.com/cognizo/firefox-toolbar-dynamic-view-load-example This is a tiny addon in which content scripts use XHR to load html dynamically from data/views. In addition to that, it would like to (someday) call an external API from inside the content scripts. Upon 'cfx run'-ing the addon, the Mozilla 'M' will appear in the bottom left. clicking on the M should open a window with a short message inside. The 'master' branch has a cross_domain_content setting in package.json. The 'no_cross_domain_permission' branch does not. The 'absolute_uri' branch passes 'data.uri('')' to the content-script UI dispatcher and uses it to form the request url for the html file that the XHR fetches. Actual results: On the 'master' branch, the window is blank. On the 'no_cross_domain_permission' branch the window has content, but lacks the permissions to perform API calls from content-script land. On the 'absolute_uri' branch there is both content -and- the ability to make API calls. Expected results: I did not expect the 'cross_domain_content' permissions setting to affect whether or not content scripts required an absolute URI to load content using XHR from the data/ directory. This feels like a bug, but perhaps just requires more specific documentation. At the very least it is surprising :) Thanks!
Comment 1•10 years ago
|
||
just adding a note, since it's not obvious from the comment, XHR is used to load from the addon's data directory (resource:// protocol), with an URL relative to the html page (also loaded from the same dir). Gabor, this looks like something you might know a thing or two about. or if the example code is too big, let me know, i can try and reduce it further.
Flags: needinfo?(gkrizsanits)
Comment 2•10 years ago
|
||
Right. So I guess what's happening is this. For the regular case content-script just uses the XHR of the content window, which by default handles URLs relative to the html page. But when cross domain permission is use XHR is created with a custom constructor that is injected into the content-scripts scope and has no clue about the page or it's location at all... We could just simply document this and walk away. But I don't feel comfortable about this inconsistency... So I think we should threat this as a bug and find a way on platform side to fix it. For that I would be the most likely candidate, but currently I'm flooded with other tasks, so this might take a while... Anyway thanks for reporting it!
Flags: needinfo?(gkrizsanits)
Priority: -- → P2
Comment 3•7 years ago
|
||
https://bugzilla.mozilla.org/show_bug.cgi?id=1399562
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → INCOMPLETE
You need to log in
before you can comment on or make changes to this bug.
Description
•