Boomarklets like a Phoenix Rising from the Ashes?

Talk about add-ons and extension development.
lithopsian
Posts: 3664
Joined: September 15th, 2010, 9:03 am

Re: Boomarklets like a Phoenix Rising from the Ashes?

Post by lithopsian »

The simplest way for an addon to execute javascript in a web page with full privileges is to use a frame script. It isn't exactly the content environment, but usually close enough. Addons can inject script directly into content but they lose their privileges. There are also sandboxes, but probably not necessary for this situation.
User avatar
OldManRivuh
Posts: 401
Joined: October 5th, 2004, 9:48 am
Location: Northern, CA

Re: Boomarklets like a Phoenix Rising from the Ashes?

Post by OldManRivuh »

lithopsian wrote:Well thanks for all the abuse. Might have been better to be polite when asking someone else to write your addon for you. Maybe even not rant at us about things you don't understand. Never mind, addons are being dropped anyway, so not much point writing another one ...


Any "abuse" is in your apparently addled mind.
Noitidart
Posts: 1168
Joined: September 16th, 2007, 8:01 am

Re: Boomarklets like a Phoenix Rising from the Ashes?

Post by Noitidart »

OldManRivuh wrote:
Noitidart wrote:Now of course this code wont execute on a page that requires a nonce. However, if you know the nonce, im sure you can make the bookmarklet run with a nonce, im not sure how to do that. But as my nonce example above works.


Twitter sets nonce attribute on a majority of their script tags.

This is how to "know the nonce":

Code: Select all

gBrowser.contentDocument.querySelector('script[nonce]').getAttribute('nonce')


Therefore it absolutely has to be possible somehow to get the bookmarklet to run. Don't give up on it, this is the direction to go in. I understand that the bookmarklet wont run in the first place, but there has to be a way somewhow to get it to work somehow. Believe that and you will get it done. I have done many things that people told me was not possible within the last year. So dont tell yourself its not possible, thats the worst thing to do. Keep at it man you can do it!
Last edited by Noitidart on September 2nd, 2015, 3:16 pm, edited 1 time in total.
Noitidart
Posts: 1168
Joined: September 16th, 2007, 8:01 am

Re: Boomarklets like a Phoenix Rising from the Ashes?

Post by Noitidart »

lithopsian wrote:Well thanks for all the abuse. Might have been better to be polite when asking someone else to write your addon for you. Maybe even not rant at us about things you don't understand.

+1

lithopsian wrote:Never mind, addons are being dropped anyway, so not much point writing another one ...

Haha we have to have hope man. Firefox is addons for me. We have to have hope! I cant live without my addons for Firefox!
User avatar
mod_wastrel
Posts: 354
Joined: July 6th, 2006, 1:34 pm
Location: VA, US

Re: Boomarklets like a Phoenix Rising from the Ashes?

Post by mod_wastrel »

AMO made a change within the past few days... a couple of bookmarklets I've used for years that simply scroll the page to the top or the bottom now don't work (not in any release as far back as I checked--back in the twenty-somethings). They worked fine last week. They'll also work if I block scripts on AMO. Yeah, real helpful, Mozilla. (Sorry, how is it again that CSP is supposed to help me?)
And, yeah, I know how to bypass it in more ways than one, but I'll take the easiest route.
;) mozillaZine is not Mozilla; just as Godzilla is not God. Neither is Mozilla God... they just think they are (what's that about:mozilla?).
Hey, Mozilla... are you sure you wish to do this? (bug 1121291)
morat
Posts: 6403
Joined: February 3rd, 2009, 6:29 pm

Re: Boomarklets like a Phoenix Rising from the Ashes?

Post by morat »

What's annoying to me is when I use extension code to disable the content security policy, the web code uses a listener to reload the page so the content security policy is reset.
User avatar
OldManRivuh
Posts: 401
Joined: October 5th, 2004, 9:48 am
Location: Northern, CA

Re: Boomarklets like a Phoenix Rising from the Ashes?

Post by OldManRivuh »

I wish someone would write a simple low-level filter that just looks for and removes the "No local JavaScript" part of the CSP specification from the HTML document before it reaches the browser.
That would fix the problem across the board.
Until someone figures out how to make the browsers know the difference between "local" and "non-local" executed JS. (if they ever can or do do that)
Post Reply