Operation is insecure

noitidart · August 14, 2015, 2:47am

I was trying to synthesize plain text paste into a field. To replicate:

Open twitter.com in a tab
Sign in
Open new tweet (or hit “n” key on keyboard)

While this tab, open scratchpad, set environment to browser, copy-paste-run this code:

 function sendTwitterPasteEvent() {
 
     var aContentWindow = gBrowser.contentWindow;
     var aContentDocument = aContentWindow.document;
 
     /*
     var btnNewTweet = aContentDocument.getElementById('global-new-tweet-button');
     //console.info('btnNewTweet:', btnNewTweet);
     if (!btnNewTweet) {
         throw new Error('global tweet button not found, probably not logged in');
     }
 
     btnNewTweet.click();
     */
     var richInputTweetMsg = aContentDocument.getElementById('tweet-box-global');
     var pasteEvent = new aContentWindow.ClipboardEvent('paste', {
         bubbles: true,
         cancelable: true
     });
 
     pasteEvent.clipboardData.setData('text/plain', 'rawr');
 
     console.info('pasteEvent:', pasteEvent);
 
     richInputTweetMsg.dispatchEvent(pasteEvent);
     console.log('sent')
 }
 
 sendTwitterPasteEvent();

Doing this triggers this in browser console:

SecurityError: The operation is insecure. boot.3698c0758aa5a65ecda72620ec25a873a6a851ce.js:527:0

I thought addons shouldnt run into this problem, any ideas on how come this plain text wont go through?

jorgev · August 18, 2015, 6:24pm

Maybe it’s breaking Twitter’s CSP?

noitidart · August 18, 2015, 11:22pm

But how to get around that. Maybe Cu.Sandbox?