2

Does anyone know if there is a way to load any external executable javascript from a firefox add-on extension? I looked into scriptloader.loadSubScript, but it appears that it can only load from a local resource.

Any help would be appreciated.

Improve this question

3 Answers 3

Reset to default
3

You can always xhr for a file, save the contents to disk, then use scriptloader.loadSubScript with an add-on

this would violate the AMO policies though, so you wouldn't be able to upload the add-on to http://addons.mozilla.org

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Is there an alternative that would not violate the AMO policies?
@Erich: No, there is no alternative. Your desire to load code that is not in the add-on release is inherently at odds with the security related policies at AMO. There is quite a bit in place to specifically prevent accidentally doing what you desire because running unknown code (sourced outside the add-on bundle) with extension-level privileges is inherently a security issue.
2

As @erikvold already pointed out, doing so would be a security hazard AND it also violates AMO rules (because it is a security hazard).

Consider your server gets compromised, or there is a way to MITM the connection retrieving the remote script (TLS bugs anyone :p), or you sell your domain and the new owner decides to ship a script to collect credit card information straight from a user's hard disk...

However, it is possible to run a remote script in an unprivileged environment, much like it would run in a website.

  • Create a Sandbox. The Sandbox should be unprivileged, e.g. pass an URL in your domain into the constructor.
  • Retrieve your script, e.g. with XHR.
  • Evaluate your script in the Sandbox and pull out any data it might have generated for you.

This is essentially what tools like Greasemonkey (executing user scripts) do.

Creating and working with Sandboxes in a secure fashion is hard, and the Sandbox being unprivileged prohibits a lot of use cases, but maybe it will work for your stuff.

Improve this answer

1 Comment

@Erich, Thanking somebody for answers on stackoverflow usually involves upvoting the answer (you can upvote more than one).
0

Try using Components.utils.import .

Example :

const {Cc,Ci,Cu} = require("chrome");

Cu.import("url/path of the file");

Note :

js file which uses DOM objects like window, navigator, etc. will return error saying "window/navigator is undefined". This is simply because the main.js code does not have access to DOM.

Refer this thread for more information.

Improve this answer

2 Comments

I've tried this but I can't figure out how to get an external URL to work. All the documents I read about it show either a chrome:// or resouce:// url that is referring to fles that already exist in the project. Is it possible to grab a javascript file from a web site when the extension initializes?
This does not work for external Javascript, which is what the question asked.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.