I inject a content script into all urls, all frames. A user event on the main page must fullscreen an element in a cross-origin iframe.
postMessage()does not count as a “short-running user-generated” event nor is it secure since the add-on cannot specify itself as a uniqe target origin.
- Custom events cannot be put on cross-origin windows, and have the same problem as above.
runtime.sendMessage()is global, and leads to many listeners. Also same problem as above.