I kind of doubt the extension stores would count this as kosher, but.
This is an incomplete but working proof of concept for running the entirety of New XKit in Chrome's MV3 "userScript" world, which is kind of like ISOLATED except you're allowed to run strings (not currently used) and set CSP. Firefox will get this feature eventually.
This version uses script-src 'self' 'unsafe-inline' 'unsafe-eval' as the CSP value, which is of course not particularly secure; in this form what the PR does is effectively whitelisting the privileged extension APIs our insecurely-executed-out-of-storage code can access. We basically only need storage.local.
There's no technical reason one can't remove 'unsafe-inline' (using XKit Rewritten's MV3 injection method; I have this implemented in test builds already) or even potentially 'unsafe-eval' (by grabbing the enabled script bodies from storage in the background script and injecting them as part of the browser.userScripts.update call; this sounds rather annoying to refactor). Doing both of those would be fairly interesting.
But doing the rest of this work and bugfixing the large number of ways to break things using mismatched stored script versions would be waiting on a Firefox implementation and gambling on the extension stores considering this a valid use of the new userScript API, just in order to preserve the XKit Editor functionality in an extension that's, to a first-order approximation, broken. Simply following the MV3 guidelines and removing the editor is a simpler way to let this codebase live on.
I kind of doubt the extension stores would count this as kosher, but.
This is an incomplete but working proof of concept for running the entirety of New XKit in Chrome's MV3 "userScript" world, which is kind of like ISOLATED except you're allowed to run strings (not currently used) and set CSP. Firefox will get this feature eventually.
This version uses
script-src 'self' 'unsafe-inline' 'unsafe-eval'as the CSP value, which is of course not particularly secure; in this form what the PR does is effectively whitelisting the privileged extension APIs our insecurely-executed-out-of-storage code can access. We basically only needstorage.local.There's no technical reason one can't remove
'unsafe-inline'(using XKit Rewritten's MV3 injection method; I have this implemented in test builds already) or even potentially'unsafe-eval'(by grabbing the enabled script bodies from storage in the background script and injecting them as part of thebrowser.userScripts.updatecall; this sounds rather annoying to refactor). Doing both of those would be fairly interesting.But doing the rest of this work and bugfixing the large number of ways to break things using mismatched stored script versions would be waiting on a Firefox implementation and gambling on the extension stores considering this a valid use of the new userScript API, just in order to preserve the XKit Editor functionality in an extension that's, to a first-order approximation, broken. Simply following the MV3 guidelines and removing the editor is a simpler way to let this codebase live on.