This issue is to track and discuss issues that arise if we run scripts in the content scope. To begin with: - Do we wrap scripts in an anonymous function, to provide a namespace isolated from the page? - How do we handle ``s? - How do we actually perform injection / execution?
该提问来源于开源项目:greasemonkey/greasemonkey
分享 My gut tells me that method of execution should be via some sort of custom protocol handler ( https://developer.mozilla.org/En/NsIProtocolHandler ), guaranteeing that the appropriate URL will be outside the same-origin to any page (thus the script content is unreadable to the page). Then injection is just adding a <script> node with the proper custom-protocol URL. Our protocol handler then knows how to glue the script and any requires together into an appropriate response for javascript execution.
Perhaps ``s can also then be referred to by a URL served by this protocol.
分享
