I inject a content script into all urls, all frames. A user event on the main page must fullscreen an element in a cross-origin iframe.
-
postMessage()
does not count as a “short-running user-generated” event nor is it secure since the add-on cannot specify itself as a uniqe target origin. - Custom events cannot be put on cross-origin windows, and have the same problem as above.
-
runtime.sendMessage()
is global, and leads to many listeners. Also same problem as above.