Any way to safely inject remote scripts?

(Mark J) #1

Hello, I realize that this is a common question, and has been answered “no” many times, but this case seems a bit different to me. I work for a company who has a couple of extensions that use the same functionality. I can’t get into the details of the functionality publicly, but the idea is that for these small bits of functionality, we would like to create a shared API between our extensions that can provide the same functionality, in real time. These scripts unfortunately need to be updated frequently, and having to wait for an entire review cycle limits our ability to provide the right content to our users. It would be ideal to serve these small scripts from a remote API.

The policy documentation says “Remote code may be executed in documents with the same origin as the code being executed, or, under limited circumstances, in carefully constructed sandboxes”. Can we achieve what we are trying to do with this sandbox approach? Or, can we give Mozilla access to our APIs (HTTPS) to ensure that we are absolutely not injecting malicious functionality?

(erosman) #2

To start with, that depends on how you want to distribute the extension.

Remote scripts are not allowed on extensions that are listed on AMO, but in case of unlisted/self-distributed, they rules are different.

AFA safety, if the remote script is under your control, then its safety would also be under your control.

If the remote script is not under control, then its content can change and there isn’t a safe way to include it as a script.

However, if remote data is required, they can be inserted safely. This is the case that for example a developer crates a remote JS file that only contain a JSON. That JSON can be imported safely as data (but there are considerations).