[英]Remote Js file in Firefox extension
I am coding firefox add-on for my website visitors. 我正在为网站访问者编码firefox插件。 I am trying to make that extension load remote javascript file, so visitors can change settings and options in their profile on website for addon, and addon loads it via remote js.
我正在尝试使该扩展名加载远程javascript文件,以便访问者可以在网站上的个人资料中更改插件的设置和选项,然后插件通过远程js加载它。 Here is what i tried:
这是我尝试过的:
if(window.location.hostname=="link") {
pagesload='http://link/file.js?v='+randnw;
var req = new XMLHttpRequest();
req.open('GET', pagesload, false);
req.send();
var contents = req.responseText;
eval(contents);
}
Don't ever do something like that! 永远不要做那样的事! This is a security nightmare (even if you'd run it just in a content script).
这是一个安全噩梦(即使您只是在内容脚本中运行它)。
If you ever plan to publish the add-on, in the mozilla add-ons gallery (AMO) or not, as doing something like this would violate the Add-on Guidelines , your AMO submission would be rejected and/or your self-hosted add-on would be blocklisted for being unsafe upon discovery. 如果您打算在Mozilla附加组件库(AMO)中发布或不发布该附加组件,因为这样做会违反“附加组件准则” ,则您的AMO提交将被拒绝和/或自行托管由于发现不安全,该插件将被列入黑名单。
main.js
. main.js
When running in an SDK module, it would be fully privileged and can do whatever the system user account can do. Instead of eval
uating some remote script, only exchange data, such as JSON, XML, plain text, etc. and verify the data before using it (don't simply trust remote data). 无需
eval
某些远程脚本,而仅交换数据(例如JSON,XML,纯文本等)并在使用之前验证数据(不要简单地信任远程数据)。
From an SDK module, incl. 从SDK模块,包括
main.js
, you may use the request
or net/xhr
module, both of which do not have a same-origin policy. main.js
,您可以使用request
或net/xhr
模块,这两个模块均没有同源策略。
Content scripts can be made into cross-domain content scripts should the need arise, but they can use XMLHttpRequest
for the same domain they are running on even without it. 如有需要,可以将内容脚本转换为跨域内容脚本 ,但是即使没有,它们也可以将
XMLHttpRequest
用于运行的同一域。
Your question also has a snippet using synchronous XHR. 您的问题也有一个使用同步XHR的代码段。 Don't use synchronous XHR.
不要使用同步XHR。 It is strongly discouraged and considered a bad practice on the web, and even more so in add-ons (and not really officially supported there anyway).
强烈建议不要这样做,并认为它是Web上的不良做法,在附加组件中则更是如此(无论如何,实际上并没有得到官方的支持)。
No idea, you didn't provide enough details to reproduce the problem. 不知道,您没有提供足够的详细信息来重现问题。 Eg you haven't even mentioned where that code is supposed to work (
main.js
, a content script, ...) 例如,您甚至都没有提到该代码应该在哪里工作(
main.js
,内容脚本等)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.