Closed palant closed 8 years ago
The second solution as formulated here seems impractical - Add-on SDK doesn't seem to provide any practical means of circumventing same-origin policy here. Tab.attach()
only applies to the top-level frame, and cross-domain content scripts only work for specific websites (besides, these seem to have issues). So the only way would be using page-mod
in order to inject the fill-in script into each and every window, regardless of whether it is ever used. This seems to be an overkill.
So I think that the right solution is a combination of 2 and 3: fill-in the password into frames if allowed by same-origin policy, and adjust the error message to indicate that automatic fill-in won't always work.
If the password field isn't in the top-level document then filling in password will fail. It's questionable however whether recursing into frames is the right things to do, particularly for different origin frames: not only are there technical issues (content script cannot access frame contents), it's unclear whether the frame is supposed to get the password in the first place (consider third-party widgets). Possible solutions:
I am leaning towards the second solution.