Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Proposal: dom.execute() #678

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

rdcronin
Copy link
Contributor

This adds a proposal for a new dom.execute() method, which will allow synchronous execution in another "world" from a content script.

This adds a proposal for a new dom.execute() method, which will allow
synchronous execution in another "world" from a content script.
Copy link
Contributor

@carlosjeurissen carlosjeurissen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rdcronin @Rob--W
Thanks for putting this together and continue where we left off during the San Diego meeting!


**Author:** rdcronin

**Sponsoring Browser:** Chromee
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
**Sponsoring Browser:** Chromee
**Sponsoring Browser:** Chrome

There are no necessary manifest changes.

## Security and Privacy

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Having this API in it's current form would not make sense outside isolated worlds.

Suggested change
### Availability
Initially `dom.execute()` will only be available in isolated worlds (content scripts and user scripts).

This API is a necessary first step before introducing inter-world communication
channels. We plan to do that alongside the implementation for this API.

### Specifying a target world
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Which means not specifying the target world in the future would default to the main world. If that is a downside or if explicitly specifying a target world right from the start is preferred specifying the target world right now world be good.


##### Injected script privileges

The injected script has the same privileges has other script in the main world.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
The injected script has the same privileges has other script in the main world.
The injected script has the same privileges as other scripts in the main world.


##### CSP Application

The injected script is not considered inline and does not have a corresponding
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would this also apply if JavaScript in general is disabled? With script-src set to "none" for example.

@@ -0,0 +1,174 @@
# Proposal: browser.dom.execute()
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is the motivation to use the dom namespace instead of the scripting namespace? Considering it's similarities with scripting.executeScript and the seemingly lack of connection with the DOM. Considering execute(), createPort() and also openOrClosedShadowRoot(), would it not make sense to use browser.document instead?

* Appending a new script tag to the document

The former is heavily asynchronous or requires knowledge of whether to inject
beforehand (to register a script). The latter is very visible to the site and
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The latter is also asynchronous, because the default CSP of content scripts in MV3 forbids inline script elements, leaving the only option to be <script src> with extension URL as src.

##### Return value serialization

Like arguments, the return value of the execution is serialized and
deserialized using the Structured Cloning algorithm.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
deserialized using the Structured Cloning algorithm.
deserialized using the Structured Cloning algorithm.
Thrown errors are also serialized using the Structured Cloning algorithm.
When an input parameter or return value cannot be serialized, an error is thrown synchronously.
Notably, `Promise` instanced such as returned by `async function` cannot be serialized.

I elaborated on the serialization semantics. Although it would be nice to support Promise, I also recognize the complexity associated with supporting it, so I'm explicitly calling out non-support for Promise. I'm willing to consider support in the future, but note that a future expansion (dom.createPort proposal) also allows for async communication.

**Summary**

This API allows an isolated world (such as a content script world or user
script world) to synchronously execute code in the main world of the document
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this proposal limited to the main world? I was imagining this API to also be used from content scripts to execute in a user script world.


## Implementation Notes

N/A.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The whole proposal sketches this as a feature designed for isolated worlds. While the dom namespace is available to content scripts, it is not restricted to content scripts - regular extension documents can also access the API.

Should we restrict the availability of this new functionality to content scripts only, or do you want it to have the same availability as the current dom namespace?

Comment on lines +84 to +86
Arguments are serialized and deserialized using the Structured Cloning
algorithm. This allows for more flexibility than simply JSON conversion. In
the future, some arguments may have custom serialization.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Have the proposal authors considered whether arguments should support transferable objects?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants