Adding scripts to extension pages

When browser.tabs.create() is used in the background script to create a new tab as an extension page that uses a URL relative path to an HTML file packaged with the extension, why is having a script tag in that HTML file that links to a JavaScript file also packaged with the extension a security violation?

Does this mean all extension pages have content scripts only?

Can extension pages be name specifically in the manifest; is there an extension path that can be provided for a match pattern?

It doesn’t cause an issue for my project but it just confuses me a bit. I didn’t think I’d need to add the script with browser.tabs.executeScript() as is done in non-extension pages.

Thank you.

I think issues are only with “inline” script tags, like:

  alert("Hello World!");

But external script tags are ok:

<script type="application/javascript" src="../browser-polyfill.min.js"></script>

1 Like

Thank you. That is what I was expecting but got a security error about loading a script. And then I read over the fist two extension examples again and, the second one I think, added the script to the pop up using tabs.executeScript().

Perhaps, I have something else wrong in the code. I’ll try it on simpler set of code again.

I don’t know what I had wrong but I had something wrong because, after I moved the pieces into a smaller block of code, the script loads from the manifest package into the extension page without throwing a security error.

Thank you.

1 Like