From 4c42f83b75dd847c7bbddf3fb4bb8cf27e1701e7 Mon Sep 17 00:00:00 2001 From: Rob Wu Date: Mon, 6 Feb 2023 18:33:56 +0100 Subject: [PATCH] Document composition of content script global Related bugs: - https://bugzilla.mozilla.org/show_bug.cgi?id=1208775 (and linked bugs) - https://bugzilla.mozilla.org/show_bug.cgi?id=1288284 --- .../webextensions/chrome_incompatibilities/index.md | 10 ++++++++++ .../add-ons/webextensions/content_scripts/index.md | 3 +++ 2 files changed, 13 insertions(+) diff --git a/files/en-us/mozilla/add-ons/webextensions/chrome_incompatibilities/index.md b/files/en-us/mozilla/add-ons/webextensions/chrome_incompatibilities/index.md index 87f1633339298d5..4851d01b5199dd0 100644 --- a/files/en-us/mozilla/add-ons/webextensions/chrome_incompatibilities/index.md +++ b/files/en-us/mozilla/add-ons/webextensions/chrome_incompatibilities/index.md @@ -197,6 +197,16 @@ When calling `tabs.remove()`: - **In Firefox:** When a content script makes an HTTP(S) request, you _must_ provide absolute URLs. - **In Chrome:** When a content script makes a request (for example, using [`fetch()`](/en-US/docs/Web/API/Fetch_API/Using_Fetch)) to a relative URL (like `/api`), it will be sent to `https://example.com/api`. +#### Content script environment + +- **In Firefox:** The global scope of the [content script environment](/en-US/docs/Mozilla/Add-ons/WebExtensions/Content_scripts#content_script_environment) is not strictly equal to `window` ([bug 1208775](https://bugzilla.mozilla.org/show_bug.cgi?id=1208775)). More specifically, the global scope (`globalThis`) is composed of standard JavaScript features as usual, plus `window` as the prototype of the global scope. Most DOM APIs are inherit from the page through `window`, through [Xray vision](/en-US/docs/Mozilla/Add-ons/WebExtensions/Sharing_objects_with_page_scripts#xray_vision_in_firefox) to shield the content script from modifications by the web page. Content scripts may encounter JavaScript objects from its own global scope or Xray-wrapped versions from the web page. +- **In Chrome:** The global scope is `window` and the available DOM APIs are generally independent of the web page (other than sharing the underlying DOM). Content scripts cannot directly access JavaScript objects from the web page. + +#### Executing code in web page from content script + +- **In Firefox:** {{jsxref("Global_Objects/eval", "eval")}} runs code in the context of the content script, and `window.eval` runs code in the context of the page. See [Using `eval` in content scripts](/en-US/docs/Mozilla/Add-ons/WebExtensions/Content_scripts#using_eval_in_content_scripts). +- **In Chrome:** {{jsxref("Global_Objects/eval", "eval")}} always runs code in the context of the content script, not in the context of the page. + #### Sharing variables between content scripts - **In Firefox:** You cannot share variables between content scripts by assigning them to `this.{variableName}` in one script and then attempting to access them using `window.{variableName}` in another. This is a limitation created by the sandbox environment in Firefox. This limitation may be removed, see {{bug(1208775)}}. diff --git a/files/en-us/mozilla/add-ons/webextensions/content_scripts/index.md b/files/en-us/mozilla/add-ons/webextensions/content_scripts/index.md index 36652a90f09803b..f3abf77e40dc284 100644 --- a/files/en-us/mozilla/add-ons/webextensions/content_scripts/index.md +++ b/files/en-us/mozilla/add-ons/webextensions/content_scripts/index.md @@ -68,6 +68,9 @@ However, content scripts get a "clean" view of the DOM. This means: - If a page script redefines a built-in DOM property, the content script sees the original version of the property, not the redefined version. In Firefox, this behavior is called [Xray vision](/en-US/docs/Mozilla/Add-ons/WebExtensions/Sharing_objects_with_page_scripts#xray_vision_in_firefox). +Content scripts may encounter JavaScript objects from its own global scope or Xray-wrapped versions from the web page. +In Chrome this behavior is enforced through an [isolated world](https://chromium.googlesource.com/chromium/src/+/master/third_party/blink/renderer/bindings/core/v8/V8BindingDesign.md#world), which uses a fundamentally different approach. +See ["Content script environment" at Chrome incompatibilities](/en-US/docs/Mozilla/Add-ons/WebExtensions/Chrome_incompatibilities#content_script_environment) for more information. Consider a web page like this: