Want to pass a message from my webpage to my extension

I got the link : https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Content_scripts#Communicating_with_the_web_page

but its still not allowing me , and addon is not published due to that,

can I get a better solution ?

Is there something special the reviewer said about it? Why it’s not ok?

In the example code posted in docs is one issue though - the targetOrigin in the window.postMessage function should not be set to "*", but instead you should specify the target page URL. See the other docs:

Other than that, this API is suitable for two-way communication with your addon.

But how to set the targetOrigin when I am passing the message from webpage to extension ?

This is what i got the response from the reviewer:

If the source is window, it means that your add-on’s behaviour is modified through events outside of it and just because it’s coming from your webpage doesn’t make it safer.

For more information please read https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage#Security_concerns and https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage#Using_window.postMessage_in_extensions .

Now that’s strange, maybe it depends on how the web-page can alter the behavior of your addon?

I’m using the same technique to communicate with my own page and with one 3rd party page and the only thing the reviewer mentioned was the "*".
But in my case the page can only trigger one specified action so there is no security issue there even if the target page was malicious (it cannot alter other behavior nor get any user data).

@freaktechnik could you share your thoughts here please? :slight_smile:

Yes for my extension also there is nothing behavior changed , its only used for passing few data from my web page to my extension.
I am also confused that how the page changes the behavior or my extension

Not sure what thoughts I have to share other that you should design your APIs interacting with a page to require as little interaction started from the page itself as possible. So essentially exposing as little as possible to webpages.

So I’d probably agree with the reviewer, just based on quickly looking through this thread and not really having thought about such things in quite a while.