🏠 返回首頁 

讨论 » 开发

unsafeWindow cannot call GM_xmlhttpRequest (firefox security update for unsafewindow) ff-30+


unsafeWindow cannot call GM_xmlhttpRequest (firefox security update for unsafewindow) ff-30+

**Who’s affected?** (also includes scripts with GM_xmlhttpRequest's in an unsafewindow)
Add-on SDK-based add-ons that use unsafeWindow or window.wrappedJSObject in content scripts to share JavaScript objects with the scripts loaded by a web page will be broken by this change.

**The workaround**
In the short term, there’s a new option in package.json called “unsafe-content-script” under the “permissions” key. By setting it to true you can revert to the old behavior:

"permissions": {
"unsafe-content-script": true

However, this is only a temporary fix to enable your add-on to keep working while you update to the new APIs. We will deprecate and eventually remove this flag.

**The real fix**
The real fix is to use three new APIs to share objects and functions with web content: cloneInto(), exportFunction(), and createObjectIn(). All three of these functions are made available to content scripts as globals.

(be aware that the workaround may be removed when a stable release of firefox 31 or 32 is released, greasemonkey 2.0 also implements these new security features and is up for release after mozilla review is complete)



Thank you for the information ;)


