Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add User Scripts API proposal #331

Merged
merged 18 commits into from
Feb 16, 2023
Merged

Add User Scripts API proposal #331

Changes from 9 commits
Commits
Show all changes
18 commits
Select commit Hold shift + click to select a range
199fa30
Add User Scripts API proposal
emilia-paz Dec 2, 2022
875c2ea
Update proposals/user-scripts-api.md
EmiliaPaz Dec 2, 2022
a02e44d
Fix bag merge in 875c2ea
EmiliaPaz Dec 5, 2022
14b80d9
Add links to methods documentation
EmiliaPaz Dec 6, 2022
12d0a3d
Remove trailing whitespace
Dec 6, 2022
340606a
Normalize on two spaces after a period
Dec 6, 2022
6c8718a
Grammar cleanup
Dec 7, 2022
9855f6c
Merge pull request #2 from dotproto/user-scripts-api-proposal
EmiliaPaz Dec 7, 2022
253ddc4
Update proposal after resolving discussions
EmiliaPaz Jan 19, 2023
f01435c
Update proposals/user-scripts-api.md
EmiliaPaz Feb 1, 2023
da0c84c
Update proposals/user-scripts-api.md
EmiliaPaz Feb 1, 2023
03dbd9d
Update proposals/user-scripts-api.md
EmiliaPaz Feb 1, 2023
faebdd5
Update proposals/user-scripts-api.md
EmiliaPaz Feb 1, 2023
aaad2a8
Update proposals/user-scripts-api.md
EmiliaPaz Feb 1, 2023
84cc7d6
Update proposals/user-scripts-api.md
EmiliaPaz Feb 1, 2023
79cbbf6
Update proposals/user-scripts-api.md
EmiliaPaz Feb 1, 2023
b613c2f
Update userScripts.configureWorld parameter
EmiliaPaz Feb 1, 2023
b68b794
Update proposals/user-scripts-api.md
Rob--W Feb 10, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
189 changes: 189 additions & 0 deletions proposals/user-scripts-api.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,189 @@
# User Scripts API

## Background

### User Scripts and User Scripts Managers

[User scripts](https://en.wikipedia.org/wiki/Userscript) are (usually relatively small) snippets of code that are injected into web pages in order to modify the page's appearance or behavior. User script managers are a type of extension that is used to manage the collection of these user scripts, determining when and how to inject them on web pages.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For the API design, it's relevant to consider that there are scripts requiring access to JS in the page's context and/or whether they need access to the user script API. As seen in the table at "Background" at #279 (comment)

The world + code part of this proposal fully covers the first two rows.

The (existing) scripting API plus its (existing) main world covers the third row.

The fourth row (i.e. page access + user script API access) is being addressed by the proposed CSP relaxation here. That chosen approach removes the ability for the browser to take control of the injection though (but this is already an issue in MV2, so that could be iterated on later).


User scripts can be created directly by the user or found in a number of different user script repositories around the web.

### Manifest V3

Manifest Version 3 (MV3) restricts the ability for extensions to use remotely-hosted code since it is a major security risk (cannot review or audit code that isn't in the extension package). This is directly at odds with user script managers, which fundamentally require the execution of arbitrary code (the user scripts themselves). This creates a feature gap between MV2 and MV3.

## Goal

User scripts satisfy an important use case for power users, allowing them to quickly and easily tweak the functionality of a web page. Therefore, we propose adding a **new API to register user scripts with arbitrary code** targeted specifically for user scripts. However, we will also take a number of steps to help reduce the abuse-ability of this API and ensure we don't lose the benefits of the remotely-hosted code restrictions from MV3.

### Multi-phase design

User script support will have a multiphase design and implementation process. The initial implementation has the following goals:

- Achieving functional parity with MV2 for user scripts managers, enabling migration to Manifest V3
- Setting the foundations needed for future enhancements that will allow the browser to take more responsibility for the user script injection
- Limiting abusability

### Initial Requirements

The rest of this proposal focuses on the first iteration with the following requirements:

- **(A)** A mechanism to execute code in the main world
- **(B)** The ability to execute code (with a separate CSP) in a world different from the main world and the extension's isolated world
- **(C)** A separate user script permission
- **(D)** Communication between JavaScript worlds
EmiliaPaz marked this conversation as resolved.
Show resolved Hide resolved

## Proposal

### New Namespace

User scripting related features will be exposed in a new API namespace, tentatively named `userScripts`. The proposal authors favor the use of a new namespace for several reasons.

1. **Better set developer expectations.** The clear separation between user and content scripts will reduce confusion for developers for which API methods to use and what the capabilities / restrictions of each are. This naming also more clearly communicates that this capability is not meant as a general purpose way to inject arbitrary scripts.

2. **Stronger enforcement of remotely hosted code abuse.** A distinct namespace allows people to more clearly see where user scripts features are being used and more easily spot abuse patterns.

3. **Easier engineering implementation.** Browser vendors should be able to restrict the execution world and different API methods behind features.

4. **Introduce a user script world with custom CSP.** Allow user scripts to opt-in to a more secure world that is only available in this namespace.

### API Schema

#### Types

```
dictionary RegisteredUserScript {
boolean? allFrames;
ScriptSource[] js;
xeenon marked this conversation as resolved.
Show resolved Hide resolved
string[]? excludeMatches;
string id;
string[]? matches;
// Default to `document_idle`
RunAt runAt;
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Many userscripts need document_body which means the moment the <body> element appears. If this mode is not implemented in Chrome natively, each USM will have to re-implement it via a workaround that may behave differently.

// Allows `USER_SCRIPT` (default) and `MAIN`
// and returns error for `ISOLATED`.
ExecutionWorld? world;
// Implemented as disjunctions.
EmiliaPaz marked this conversation as resolved.
Show resolved Hide resolved
string[]? includeGlobs;
EmiliaPaz marked this conversation as resolved.
Show resolved Hide resolved
string[]? excludeGlobs;
}
dictionary UserScriptFilter {
string[]? ids;
}
// Errors if both code and file are specified.
dictionary ScriptSource {
string code;
string file;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Specify file to be a relative URL; relative to the extension root? (opposed to an absolute URL or a URL relative to the current execution context).

EmiliaPaz marked this conversation as resolved.
Show resolved Hide resolved
}
```

#### Methods

EmiliaPaz marked this conversation as resolved.
Show resolved Hide resolved
```
browser.userScripts.register(
scripts: RegisteredUserScript[],
callback?: function
)
browser.userScripts.unregister(
filter?: UserScriptFilter[],
callback?: function
)
browser.userScripts.getScripts(
filter?: UserScriptFilter[],
callback?: function
EmiliaPaz marked this conversation as resolved.
Show resolved Hide resolved
)
browser.userScripts.update(
scripts?: RegisteredUserScript[],
EmiliaPaz marked this conversation as resolved.
Show resolved Hide resolved
callback?: function
)
```

### Requirements

#### A. A mechanism to execute code in the main world

- User scripts can be registered in the `MAIN` world.
- Extension can customize the `USER_SCRIPT` world's CSP to inject a script tag into the host page (expanded in requirement B)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

With this intended mechanism of unblocking user script managers in the transition to MV3, the minimum necessary to support user script managers is just to allow then to insert inline script elements in the web page, from the content script (not necessarily a user script world).

The current proposal proposes a runtime method to override the CSP of the user script world. The dynamic aspect of the runtime API is not required, a static manifest key would be enough for the use case. This feature existed before in the form of the content_security_policy.isolated_world manifest key but was dropped in https://chromium.googlesource.com/chromium/src.git/+/345390adf6505881f84da2351c3e4fc1b06dac26%5E%21/ after concerns over the ability to enforce it.

To unblock the user script managers from transitioning from MV2 to MV3, it would suffice to allow the CSP for content scripts to be customized, to relax the current MV3 CSP requirements by accepting 'unsafe-inline' too. With this added relaxation, the least secure CSP that the extension can have is script-src 'self' 'wasm-unsafe-eval' 'unsafe-inline'. Because this still excludes unsafe-eval, extensions cannot have arbitrary RCE in the (privileged) content script world, while still being able to run inline code in the main world.

The approach sketched in this comment meets requirements A, B and D (D because the extension can try to carefully sets up its own channel, which it can because it controls the script injection). Requirement C is independent and optional: because the feature is toggled through the manifest.json file, its presence can be statically detected by the browser and automated scanners and/or reviewers.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I am reading correctly, there are two proposals here (and in the next comment):

  1. Relax the current MV3 CSP requirements in the extension ISOLATED world by accepting 'unsafe-inline' too, or
  2. Static user script world customization in the manifest

For 1.,’unsafe_inline’ allows remote host code. Thus, we cannot allow it in the extension ISOLATED world as it
would affect all content scripts and not just user scripts.

For 2., static world customization is easier, since most extensions will set the user script manifest, and makes it easier for revision. However, dynamic world customization allows to dynamically change CSP. This can be useful for user script managers as they can set the CSP based on the user scripts. Additionally, in the future we would like to have separate USER_SCRIPT worlds. Having manifest entries for each world would be messy, thus a method is preferred.
Thus, dynamic CSP customization is better for user script managers overall and allows for extensibility.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the comments, Rob and Emilia!

@Rob--W : As Emilia points out, the main reason for not just allowing unsafe-inline in an isolated world CSP is that we want to gate this behavior on the user script permission. Additionally, only allowing it in the user script world (rather than in the main isolated world) limits the permission of that code, which is also desirable.

Because this still excludes unsafe-eval, extensions cannot have arbitrary RCE in the (privileged) content script world, while still being able to run inline code in the main world.

I disagree with this. unsafe-inline is sufficient to have full remote code execution, AFAIK. Consider:

(async () => {
  let fetchResult = await fetch(...);
  let evilCode = await fetchResult.text();
  let scriptTag = document.createElement('script');
  let scriptTag.text = evilCode;
  document.body.appendChild(scriptTag);
})();

This will execute any arbitrarily-fetched code and requires only unsafe-inline (not unsafe-eval). Because of this, we don't want to allow arbitrary content scripts to have this relaxed CSP.

As you've correctly highlighted, our first goal here is to allow user script managers to migrate to MV3. We'd like to provide them with more capabilities in the future (including some form of secure inter-world communication) and allow the browser to take on more of the injection duties; this is something we'll continue iterating on. But we'd like this initial version to unblock the transition such that user script managers can behave similarly to how they do in MV2.

To clarify: If we provide the capabilities outlined in this proposal (the ability to inject arbitrary code into a less-permissioned user script world that has a relaxed CSP), do you agree user script managers should be able to migrate?

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It may also be relevant to consider how many userscripts would cease to function without certain capabilities, even if the bare functioning of the userscript manager itself is migrated.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To clarify: If we provide the capabilities outlined in this proposal (the ability to inject arbitrary code into a less-permissioned user script world that has a relaxed CSP), do you agree user script managers should be able to migrate?

@rdcronin It depends.

Being able to execute arbitrary code in a userscript world is one step and some scripts would already work then, but many userscripts need access to unsafeWindow which is the main world window object.

So either the userscript world can access the main world window object like the contentWindow of an iframe or "has a relaxed CSP" means the userscript world is able to inject arbitrary code into the page and this code is exempt from the page's CSP (like script tags injected by a content script in mv2).

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rdcronin

Would this allow us to eliminate the need for three-party (ISOLATED, USER_SCRIPT, and MAIN worlds) communication entirely?
This wouldn't allow for synchronous access to any APIs available in content scripts. [...] Are any of these critical for user script functionality?

None of the mentioned ones is critical, but as @tophf mentioned a replacement for runtime.sendMessage and if possible runtime.connect is required.

I'm however not sure that empowering the USER_SCRIPT world to become a "ISOLATED world" light is the right way.
If you ask me (and it's also part of @tophf's preferably list), then userscripts should be executed in the USER_SCRIPT world some day and be able to access the MAIN world via a iframe contentWindow-like object.
This way userscripts would have a clean environment and prototypes. And if the USM can control the CSP of the USER_SCRIPT world, it can use it now to emulate MV2 behavior (run in MAIN_WORLD) and once the MAIN_WORLD "contentWindow" is available run them in the USER_SCRIPT world.

I see that this is only called out as "limited support" on the tampermonkey docs?

Content script (and the initial main world script) injection needs to be at document_start.
The docs mention limited support for document_start userscript injection because the scripts can not be transferred synchronously to the content script (except if using the cookie+objectURL hack for critical scripts). Therefore userscripts might run later than document_start.

We'd never be able to guarantee that the main world couldn't interact or affect the injected script.

I know. That's why we are working on a future path to improve this. 😉 This is also another chance to advertise my MAIN_WORLD contentWindow. 😁

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Okay, this seems promising : )

I think this is worth pursuing as a way to unblock MV3 migration for USMs, and once this initial phase is agreed upon, we can begin iterating on enhancements to make it better and move more towards a future where the browser can take on more of the injection responsibilities.

Concretely, how about we update this PR to include:

  1. The ability to register/unregister/configure user script objects (userScripts.register(), userScripts.unregister(), userScripts.getScripts(), userScripts.update()). This is largely unchanged from the current draft (though perhaps we should add a file parameter to the registered script, to reflect how it is more likely to be used at first).
  2. The ability to relax CSP in the user script world and control whether any extension APIs are exposed. I suggest we handle both of these with the configureWorld() function by changing the argument to be an object like { csp?: string, enableMessaging?: bool }. If csp is undefined, the isolated world CSP is used; if enableMessaging is undefined or false, no extension APIs are exposed. if csp is defined, that CSP is used in the USER_SCRIPT world. If enableMessaging is true, we expose chrome.runtime.sendMessage() and chrome.runtime.connect(). Here, I'm suggesting the runtime variants here, instead of something like userScripts.sendMessage, to align more with the existing pattern used by both web pages and content scripts; I'm open to bikeshedding this. I suggest enableMessaging (and not enableAPIs) to account for more flexibility in the future, e.g. whether the extension may want to control if the dom API is exposed.
  3. Introducing a new event for receiving messages from user scripts (similar to the prior art of runtime.onMessageExternal). userScripts.onMessage and userScripts.onConnect make sense to me, but I could see an argument for following the pattern of runtime here, too, and introducing a runtime.onUserScriptMessage() and runtime.onUserScriptConnect.

With these changes, USMs will be able to migrate to MV3, but will have to continue jumping through the same hoops they do today. It would be possible that a few user script injections could be delegated to the browser by registering them with world: main if they were ones that didn't require any communication with the extension; I don't know how easily that can be determined from the user script metadata.

Subsequently, file new issues (or reuse existing ones) for some of the items we've discussed for future improvements:

  1. Allow user scripts to inject in unique worlds. I'd propose we do this by the introduction of a worldId in userScripts.register(); user scripts with the same worldId inject in the same world. If undefined, user scripts are injected into the default user script world (say, ID 0). configureWorld can then be expanded with a worldId to allow configuring individual worlds' properties (both CSP and availability of APIs). I think this is a relatively straigthforward and desirable change, with the open questions of performance.
  2. Providing an explicit API for an extension to execute code in the main world from a USER_SCRIPT world (or ISOLATED world). Apart from bikeshedding, I think this is fairly straightforward.
  3. A mechanism for USER_SCRIPT worlds to fetch or receive data from blobs.
  4. A secure communication channel for extension scripts to use between worlds.
  5. Establish common behaviors for the CSP of scripts injected into the main world by an extension (it seems there's some difference in how this works between browsers today). This ties into @tophf 's request for "create link, script, style elements even if their src or href or contents violates CSP of the page so that the users don't have to nuke the site's CSP header altogether."
  6. Provide a way for the USER_SCRIPT (or ISOLATED) world to directly access the main world (e.g. via an iframe contentWindow-like object).

Some of these will take more work and discussion than others (and I'm honestly not sure how feasible 6) is), but I think it's worth discussing all of them.

With this, we'd unblock this first iteration of the userScripts API, enable USMs to migrate to MV3, and have a road forward to future improvements where the browser can take progressively more responsibility for the USM injection.

Does that sound reasonable?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rdcronin Your proposal looks great! Would you mind creating a new PR with your proposal? Then we can close/archive the current state of this PR, along with the discussion and very useful thread here for future reference.

In the update, could you also explicitly mention the desired behavior with regards to:

  • persistence of the registrations (e.g. persistAcrossSessions). I guess that the behavior is to persist for as long as possible?
  • order of execution: is it the order in the order of registration? Is the order reflected in getScripts()? What happens when modified by update()? If needed, future work could be to add a method to re-order scripts (if desired by USM).

Other remarks:

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This discussion is addressed in the latest commit.
Resolving this discussion for now.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've marked this thread as unresolved, because otherwise the permalinks in the ToC are broken. I'd like the discussions to be easily referenced because the arguments and discussion are significant in the design and shape of the final API design.


#### B. The ability to execute code (with a separate CSP) in a world different from the main world and the extension's isolated world

##### `USER_SCRIPT` World

- Exempt from the page's CSP, can customize its own CSP (e.g can allow injection of `unsafe-inline`).
- Can communicate with the extension using extension messaging APIs (expanded under [Messaging](#Messaging)).
- Isolated from the web page (similar to other isolated worlds), but will be largely un-permissioned. It will not have access to any extension APIs, except messaging APIs mentioned, and will not have any cross-origin exceptions (these don't exist in Chrome, but do in other browsers). In the future, we may bring more APIs (such as chrome.dom APIs or a dedicated API to execute a script in the main world), but these APIs will not grant any additional privilege to the script beyond what it has to access the page content.
- Can communicate with different JS worlds via `window.postMessage()`. A dedicated API to communicate between worlds is being considered as part of future work.
- Shares DOM with the web page. Code from both worlds cannot directly interact with each other, except through DOM APIs.
- When an asymmetric security relationship may exist, the `MAIN` world is considered to be less privileged than the `USER_SCRIPT` world

##### Configuration

```
browser.userScripts.configureWorld(
Rob--W marked this conversation as resolved.
Show resolved Hide resolved
csp?: string
enableMessaging?: bool
)
EmiliaPaz marked this conversation as resolved.
Show resolved Hide resolved
```
where
EmiliaPaz marked this conversation as resolved.
Show resolved Hide resolved
- If csp is defined, it is used in the `USER_SCRIPT` world. Otherwise, the `ISOLATED` world CSP is used.
- If `enableMessaging` is true, messaging APIs are exposed. Otherwise, if false or undefined, messaging APIs are not exposed.
In the future, if we allow multiple user script worlds (see section in Future Work below), this method can be expanded to allow for a user script world identifier to customize a single user script world.
Rob--W marked this conversation as resolved.
Show resolved Hide resolved

##### Messaging

User scripts can send messages to the extension using extension messaging APIs: `browser.runtime.sendMessage()` and `browser.runtime.connect()`. We leverage the runtime API (instead of introducing new userScripts.onMessage- and userScripts.sendMessage-style values) in order to keep extension messaging in the same API. There is precedent in this (using the same API namespace to send messages from a different (and less trusted) context, as chrome.runtime is also the API used to send messages from web pages.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that it makes more sense to add a new namespace for messaging with the userScripts API, instead of runtime.sendMessage/connect, for the following reasons:

  • If future work introduces additional functionality, it would need a namespace to hold the methods. We may as well introduce the namespace now, e.g. userScriptContent.
  • In this API, eventually code will be running in the MAIN world and the USER_SCRIPTS world. It may be confusing if runtime.sendMessage/connect from MAIN triggers runtime.onMessageExternal/runtime.onConnectExternal, while exactly the same code triggers runtime.onUserScriptMessage/runtime.onUserScriptConnect in USER_SCRIPT (... and runtime.onMessage/runtime.onConnect in ISOLATED_WORLD through content scripts, e.g. the scripting API).
    • I already see frequent confusion among developers who do not understand the difference between the runtime.sendMessage/connect APIs in web pages vs content scripts, where the observable difference is that the former requires an extensionId parameter.
  • The extensionId parameter allows communication with other extensions. Since the method is explicitly meant to be used by user script managers, I don't think that this would be desirable. This could easily be addressed at the implementation level by rejecting the extensionId parameter, but good luck with documenting that...

What do y'all think of these APIs instead:

  • browser.userScriptContent.sendMessage / connect
  • browser.userScripts.onMessage / onConnect

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I strongly feel we should not add yet-another namespace for this. I think documenting the differentiation between userScriptContent and userScripts would be extremely difficult. I also think that having the API go from two different namespaces (userScriptsContent.sendMessage -> userScripts.onMessage) is very confusing.

I don't think that reusing the existing runtime methods is perfect, either — I think each have their challenges, but because IMO there's no clear right choice, I'd prefer to go for the one that is more consistent and involves fewer pieces.

No matter what, there will be some confusion — having the messaging API exposed on a different namespace makes it different than sending a message from any other context, where you can always use chrome.runtime. In any of these cases, we'll need documentation, and developers will need to learn the different conventions. I prefer leveraging chrome.runtime because:

  • It's more inline with existing messaging behavior, overall (extension frames / SWs and content scripts both use chrome.runtime to send messages)
  • It avoids the need to introduce new API namespaces and the confusion that spans from that
  • It's simpler implementation-wise, leading to less risk of skew between different messaging APIs

I also think there's good potential here with the getContexts() API and messaging changes we're planning there (allowing the extension to target a specific context) and this work — for sending messages from an extension frame or SW to a user script, we can leverage that API. Looking farther down the road, I think it'd make sense to have only runtime.sendMessage() and runtime.connect() and to use these with targeted contexts. I don't suggest we do this yet (it's a very breaking change), but I think we can take steps in that direction.

Extensions can receive messages from user scripts with new event handlers: `browser.runtime.onUserScriptMessage()` and `browser.runtime.onUserScriptConnect()`. We want new events instead of using `browser.runtime.onMessage()` to make it clear the message is coming from a user script in a less-trusted context. There is precedent for this in the form of onMessageExternal and onConnect external.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The other messaging APIs are attached to runtime because there is no more fitting namespace where they could be added. Despite the runtime API being available to every extension context (including the lower-privileged ISOLATED world), the intent is to only expose these events to privileged extension contexts, right?


#### C. A separate user script permission

- A new extension permission will be added, and will be required in order to register user scripts. This permission should be scoped specifically to the purpose of user scripts (as opposed to a general "remotely-hosted code" permission).
- Browser vendors then can use it to:
- Inform their review pipeline that this is a particularly risky extension, and extra caution should be taken to ensure this is a valid use of the API.
- Reduce the likelihood of extensions using it for other purposes and allows browser vendors to act on any permissions that do as being non-compliant
- Present the user with different permission warnings, UI, or other gating, if they deem it necessary.

#### D. Communication between JavaScript worlds

As mentioned in requirement A, the user script world can communicate with different JS worlds via [`window.postMessage()`](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage) and DOM APIs. New communication methods are being considered as potential future enhancements. This is clunky and imperfect, but allows extensions to migrate to MV3 leveraging the same logic they have in MV2 today. New, dedicated communication methods are being considered as potential future enhancements.

### Other considerations

- When multiple scripts match and have the same runAt schedule, the execution order is:
- Scripts registered via the content_scripts key in the manifest file
- Scripts registered via [`scripting.registerContentScripts()`](https://developer.chrome.com/docs/extensions/reference/scripting/#method-registerContentScripts), following the order they were registered in. Updating a content script doesn't change its registration order.
- Scripts registered via `userScripts.register()`, following the order they were registered in. Updating a user script doesn’t change its registration order.
- User scripts are always persisted across sessions, since the opposite behavior would be uncommon. (We may explore providing an option to customize this in the future.)

### Browser level restrictions

From here, each browser vendor should be able to implement their own restrictions. Chrome is exploring limiting the access to this API when the user has enabled developer mode (bug), but permission grants are outside of the scope of this API proposal.

## (Potential) Future Enhancements

### `USER_SCRIPT`/ `ISOLATED` World Communication

In the future, we may want to provide a more straightforward path for communication with a `USER_SCRIPT` world (as opposed to the [`window.postMessage()`](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage) approach highlighted above).

### Separate `USER_SCRIPT` Worlds

In addition to specifying the execution world of `USER_SCRIPT`, we could allow extensions to inject in unique worlds by providing an identifier. Scripts injected with the same identifier would inject in the same world, while scripts with different world identifiers inject in different worlds. This would allow for greater isolation between user scripts (if, for instance, the user had multiple unrelated user scripts injecting on the same page).

### Execute user scripts one time

Currently, user scripts are registered and executed every time it matches the origin in a persistent way. We may explore a way to execute a user script only one time to provide a new capability to user scripts (e.g `browser.userScripts.execute()`).
EmiliaPaz marked this conversation as resolved.
Show resolved Hide resolved

### Establish common behaviors for the CSP of scripts injected into the main world by an extension

Create certain HTML elements even if their src, href or contents violates CSP of the page so that the users don't have to nuke the site's CSP header altogether.

### Dedicated API to execute code in the `MAIN` world from another world

Provide an explicit API for an extension to execute code on the main world from a `USER_SCRIPT` or `ISOLATED` world.

### Direct access to the `MAIN` world from another world

Provide a way for the `USER_SCRIPT` or `ISOLATED` world to directly access the MAIN world (e.g. via an iframe contentWindow-like object).

## Discussion Guidelines

Please keep discussion to the first iteration introduced by this proposal. Future enhancements can be tracked in the WECG [issue tracker](https://github.com/w3c/webextensions/issues).
EmiliaPaz marked this conversation as resolved.
Show resolved Hide resolved