are content scripts sandboxed?

[braco]

content.js:

window.foo = "window";
document.foo = "document";
foo = "local";

e = document.createElement("script");
e.setAttribute("src", "http://site.com/external_script.js");
document.body.appendChild(e);

external_script.js:

console.log typeof window.foo, typeof document.foo, typeof foo

output:

undefined, undefined, undefined

any idea whats going on?

[akrylysov]

All content scripts are sandboxed. If you want to include external script, you should use kango.xhr + eval.

[braco]

@kadot, why not expose a reference between the sandbox and main context?

[braco]

Firefox 15 throws this warning:

Exposing chrome JS objects to content without __exposedProps__ is insecure and deprecated. See https://developer.mozilla.org/en/XPConnect_wrappers for more information. @ chrome://[...]/content/kango/lang.js:50

when accessing data.response here:

    kango.xhr.send(details, function(data) {
        console.log(data.response);

https://developer.mozilla.org/en-US/docs/XPConnect_wrappers#__exposedProps__

if script DOM injection doesnt work and something like unsafeWindow isnt exposed, it would be very nice if there was a built in way to load external scripts without a hassle. this could be used for google-hosted jquery and whatever else the user needs. xhr won't cache, will it?

[braco]

For anyone finding this thread in the future, the context still needs to be passed in:

    kango.xhr.send.call(this, details, function(data) {
        eval(data.response);
    });

which seems to (??) eliminate the Firefox warning above.

[akrylysov]

exposedProps issue fixed in v 0.9.9

[akrylysov]

why not expose a reference between the sandbox and main context?

Technical limitation of Chrome, Safari and Opera.