When browser.tabs.create() is used in the background script to create a new tab as an extension page that uses a URL relative path to an HTML file packaged with the extension, why is having a script tag in that HTML file that links to a JavaScript file also packaged with the extension a security violation?
Does this mean all extension pages have content scripts only?
Can extension pages be name specifically in the manifest; is there an extension path that can be provided for a match pattern?
It doesn’t cause an issue for my project but it just confuses me a bit. I didn’t think I’d need to add the script with browser.tabs.executeScript() as is done in non-extension pages.
Thank you.
I think issues are only with “inline” script tags, like:
<script>
alert("Hello World!");
</script>
But external script tags are ok:
<script type="application/javascript" src="../browser-polyfill.min.js"></script>
https://developer.mozilla.org/en-US/docs/Web/HTML/Element/script
1 Like
Thank you. That is what I was expecting but got a security error about loading a script. And then I read over the fist two extension examples again and, the second one I think, added the script to the pop up using tabs.executeScript().
Perhaps, I have something else wrong in the code. I’ll try it on simpler set of code again.
I don’t know what I had wrong but I had something wrong because, after I moved the pieces into a smaller block of code, the script loads from the manifest package into the extension page without throwing a security error.
Thank you.
1 Like