0

In Google Chrome, there's a nice development feature to use the JavaScript console in the context of a content script that's been injected into the page, and also open a console that controls the "background page".

I've been able to use the Browser Console to tinker with my main.js Sandbox thanks to this Stack Overflow answer, but the only way so far I've been able to figure out to access an injected content script for console tinkering is to expose its functions and variables to the page as a with unsafeWindow. (something I'd take out in a release version)

Since Mozilla has said a few months ago that they'd be removing the ability to use unsafeWindow like this , I'm wondering if there an alternate way of accessing a script's Sandbox.

Community
  • 1
  • 1
empyrical
  • 362
  • 2
  • 5
  • 16
  • You can use the "Browser Toolbox". See [this answer](http://stackoverflow.com/a/17579253/331508) for how to enable it. – Brock Adams Aug 07 '14 at 22:05

1 Answers1

0

You can use the add-on debugger to debug add-on scripts, including content scripts. See this blog post for more details.

therealjeffg
  • 5,790
  • 1
  • 23
  • 24
  • I do use that debugger, and the Add-On console that is in Aurora, but from what I've read in the wiki, unless you're interrupting a script, its console only has the ability to run in the context of bootstrap.js (which can access main.js' sandbox in the `loader` object). You see what I'm trying to do without unsafeWindow by enabling the `"unsafe-content-script"` in an add-on, putting `unsafeWindow.contentScript = this;` into a content script that's injected into a page, and then from that web page's console type `cd(contentScript)` to have a console that's in the context of a content script. – empyrical Aug 08 '14 at 04:55
  • Wow, that's pretty unsafe! Does it work? You're right that you need to set a breakpoint to be able to set the current scope of the debugger and console to main.js. We're hoping to fix this in [this bug](https://bugzilla.mozilla.org/show_bug.cgi?id=1005193) but it requires changes to Firefox. – therealjeffg Aug 08 '14 at 15:58
  • Yeah the safety issue is why I use it sparingly and only when developing, but using this way to `cd()` into a content script's scope does seem to work (I discovered it a few days ago). I just did more tinkering, and using `cd()` on `loader.sandboxes[main.js url]` in the addon console and as mentioned, it doesn't seem to work sadly, but would be amazing if fixed. The content script is an [XrayWrapper](https://developer.mozilla.org/en-US/docs/Mozilla/Tech/XPCOM/Language_bindings/XPConnect/XPConnect_wrappers), is there a way to see the xray wrappers attached to a window from the browser console? – empyrical Aug 08 '14 at 19:29
  • No, and this is because all of the barriers you're running into are legitimate security barriers we put there on purpose. You could try the new api in the content script, 'cloneInto', see https://blog.mozilla.org/addons/2014/04/10/changes-to-unsafewindow-for-the-add-on-sdk/ – therealjeffg Aug 08 '14 at 22:02
  • I see, thank you! I guess I'll have to find a different way to tinker with my content scripts in Firefox webpages – empyrical Aug 09 '14 at 00:52