can you load external executable javascript from a firefox extension?

Question

Does anyone know if there is a way to load any external executable javascript from a firefox add-on extension? I looked into scriptloader.loadSubScript, but it appears that it can only load from a local resource.

Any help would be appreciated.

Answer 1

As @erikvold already pointed out, doing so would be a security hazard AND it also violates AMO rules (because it is a security hazard).

Consider your server gets compromised, or there is a way to MITM the connection retrieving the remote script (TLS bugs anyone :p), or you sell your domain and the new owner decides to ship a script to collect credit card information straight from a user's hard disk...

However, it is possible to run a remote script in an unprivileged environment, much like it would run in a website.

• Create a Sandbox. The Sandbox should be unprivileged, e.g. pass an URL in your domain into the constructor.
• Retrieve your script, e.g. with XHR.
• Evaluate your script in the Sandbox and pull out any data it might have generated for you.

This is essentially what tools like Greasemonkey (executing user scripts) do.

Creating and working with Sandboxes in a secure fashion is hard, and the Sandbox being unprivileged prohibits a lot of use cases, but maybe it will work for your stuff.

Answer 2

Try using Components.utils.import .

Example :

const {Cc,Ci,Cu} = require("chrome");

Cu.import("url/path of the file");

Note :

js file which uses DOM objects like window, navigator, etc. will return error saying "window/navigator is undefined". This is simply because the main.js code does not have access to DOM.

Refer this thread for more information.

Answer 3

You can always xhr for a file, save the contents to disk, then use scriptloader.loadSubScript with an add-on

this would violate the AMO policies though, so you wouldn't be able to upload the add-on to http://addons.mozilla.org