How does same-domain policy apply to background scripts (NON-content scripts) in Firefox and Chrome extensions?

Question

To my understanding, there are two types of scripts in an extension, one is "content scripts" that run from, and interact with DOM in webpages, which are governed by the same origin policy; the other are scripts, call them "extension scripts", that run in the background and may or may not interact with webpages, like main.js in Firefox or background.js in Chrome. Here is Google's explanation for extension scripts

"...have a single long-running script to manage some task or state ...the background page is an HTML page that runs in the extension process. It exists for the lifetime of your extension, and only one instance of it at a time is active"

So the question is, how does same-origin policy apply to "extension scripts"? And why should it, since these scripts are independent from contents on the webpage that is being viewed? What is the domain of an extension script anyway? (Google says "extension attempts to use a security origin other than itself", but doesn't explicitly state what the origin is.)

Could the following be done in an extension?

Example one : get the time from a time server, and display it on the add-on bar.

Example two : an extension that checks whether a recently closed page from an arbitrary domain (or a bookmarked but closed page) is updated, and alert the user if it is.

---

I know cross domain HTTP and Ftp requests in Chrome can be accomplished by using XMLHttpRequest after declaring permissions Http://*/. But what about Firefox? What about other protocols, like smtp, ppp, etc?

Is WebSocket in HTML5, used in an extension script, shackled by the same-domain policy?

Answer 1

Chrome extensions (background pages included) are limited to the same origin policy just like regular web pages. However, you can request cross origin permissions in the manifest of the Chrome app or extension which will allow your XHR to succeed. So, you should be able to do example 1 with this scheme. I'm not sure how you could do example 2 above.

In your extension's manifest.json:

"permissions": [
    "http://www.google.com/"
  ],

I'll let others answer the question about Firefox.

There is a reference here with more information: http://developer.chrome.com/extensions/xhr.html

Answer 2

Firefox have two types of extensions: traditional Overlay extensions and new Add-on SDK extensions.

Overlay extensions don't subject to same origin policy and for example the following jQuery code worked for me:

$.get("http://www.example.org", function() { /* do something */ } );

However for new Add-on SDK extensions the situation is pretty much the same as for Google Chrome extensions: the "extension script" is limited by the same origin policy and you can whitelist domains in package.json using cross-domain-content attribute:

"permissions": {
  "cross-domain-content": ["http://example.org/", "http://example.com/"]
}

Wildcards are not allowed in this attribute. You have to request specific domains, as written on MDN site:

The domains listed must include the scheme and fully qualified domain name, and these must exactly match the domains serving the content...

So for your examples, they would fail on same origin policy. You'd have to either write an Overlay extension, or use CORS, JSONP or other techniques to get around it, if possible.