In general, Firefox dev pages seem to advocate good security practices, but heavy-handed restrictions make it difficult to perform some actions without going against such practices.
I was wondering if there was an elegant way to ask for permission to access domains whose iframes are in the current webpage. I need to modify DOM elements in (potentially cross-origin) iframes of pages for which the add-on has permission. I would like to do so without the <all_urls> and all_frames permissions.
What is best practice then? Some obnoxious popup informing the user to simply click the Browser Action?
One step further: If I want the user to be able to modify the url (with wildcards and such) before requesting permission, how do I ask for permission elegantly? The doc says I can use âa button in a page bundled with the extensionâ, but this does not seem to be the case for the Browser Action popup.
As far as I can tell, activeTab permissions do not extend to iframes in the page. Additionally, the add-on I am creating is passive; I do not want the user to perform some designated âuser actionâ to inject my content script.
I have edited my post and hopefully narrowed down my issue.
Hi Ben, one possibility would be to detect the hosts and ask the user if they want to grant permission. The hangup is that permission.request() doesnât work when called from a popup (i.e., hanging off your toolbar button) or sidebar in Firefox. I think you need to show the Options page or maybe something in a new window. I havenât had time to experiment.
Yes, the fact permission.request() is linked to a user action is the hangup. For the foreseeable future, I will use a window-based popup approach in which I create a new, minimal window with a âuser actionâ button. The result is ugly, but at least it does not divert the user from his current browsing page.