You can define to load a page at a certain time of building DOM using run_at: for example with parameter page_start. this isn’t working either. it seems to me that either the script is being run asynchronous, or there is some other reason for this not to be working:
aall=document.getElementsByTagName("*");
for (var i=0, max=aall.length; i < max; i++) {
aall[i].addEventListener=function(a,b,c){ console.log(“Log”); return false; };
}
console.log(“Log”); is never being called, even though an event has been added to the element using addEventListener in the test html file. My current solution for this is an own firefox fork that overwrites the functions in the javascript engine, which is kind of overdosed.
Hello,
thanks for your imput. that’s exactly what i’m trying to do. Element.prototype.addEventListener failed, too. But i’m gonna check again to get sure. The reason is that i want to be able to block external scripts or scripts from the page itself from adding blacklisted events.
so injecting javascript that will get executed before anything else gets executed would be great.
i’m using a content script, run_at is only for content scripts, as far as i know.
You Reely ned to read and understand the article I linked above, especially the things about Xray vision.
Regarding your actual aim, overwriting the addEventListener function is not the best way to achieve it. You should instead attach a capturing listener on the document and call .stopImmidiatePropagation on it.
it’s working perfectly now using
var actualCode = ‘Element.prototype._addEventListener=Element.prototype.addEventListener;Element.prototype.addEventListener=function(a,b,c){if(a!=“mouseenter”){this._addEventListener(a,b,c);}};’;
your input lead my on the right track, allthough i allready knew the page you were linking to - thanks alot for your help!
That is generally a cleaner way to inject scripts, but is rejected by CSPs all the same. If the page has a CSP with doesn’t explicitly allow script-src 'unsafe-inline' (or 'unsafe-eval') you will not be able to inject code into the page at all.
it has to be injected somehow because at run_at document_start, the dom tree hasn’t loaded yet. the description in the MDN API documentation sounds like the script being loaded asynchronously with run_at document_end.
event.stopImmediateProgragation can only be applyed to existing DOM elements, afaik.
I’m not quite sure what you mean. You call .stopImmediateProgragation() on events when they occur, so of course an event target exists at that time. But you can attach your capturing listener that does the cancelling earlier. For most events you can put it on the window, for some few event types you need to use the document. Either way you can attach the listener before the first element is present, and it will affect all elements that are later added to the DOM.
btw: i tryed several methods by now. script injection was the first that really worked.
aall=document.getElementsByTagName("*");
for (var i=0, max=aall.length; i < max; i++) {
aall[i].addEventListener=function(a,b,c){ console.log(“Log”); return false; };
} console.log(“Log”); is never being called
also, when using jquery and stopImmediatePropagation or overwriting addEventListener, it doesn’t work.
another thing: why should adding code to the objects representing the page be a problem? it’s not inline scripting, and unsafe-inline shouldn’t concern it.
That is to be expected. Due to the Xray vision, the .addEventListener function called by the page scripts is a different one (that does the exact same thing).
why should adding code to the objects representing the page be a problem? it’s not inline scripting, and unsafe-inline shouldn’t concern it.
if you are adding script tags with code to the page, that is an inline script and the CSP will prevent it’s execution. It duesn’t matter where the code string came from.
also, when using jquery and stopImmediatePropagation […], it doesn’t work.
You can’t use jQuery for this. You need to use .addEventListenerand set useCaptureto true. jQuery doesn’t support that. If you attach your listener like that, it can call .stopImmediatePropagation().
sure it’s possible with jquery.
that’s simply not true, xray vision is concerning content and background script communication, it’s not inline scripting, and so on.
i’m out of this conversation.
thank you again for your help, annyway.