Prevent content scripts to be injected in iframes

<<

haxapp

Posts: 18

Joined: Thu Aug 04, 2011 5:17 pm

Post Wed Aug 31, 2011 1:07 pm

Prevent content scripts to be injected in iframes

Is there a way to prevent content scripts from being injected in all frames of the current tab? If I visit a page with many iframe ads (like techcrunch) it loads my page_mod like a million times, one for every iframe, which is inefficient to say the least and annoying to debug. In google chrome there is an 'all_frames' option defaulted to false which prevents that from happening.

What do we do in moz land?
<<

canuckistani

Posts: 47

Joined: Fri Jul 29, 2011 1:43 pm

Post Wed Aug 31, 2011 1:25 pm

Re: Prevent content scripts to be injected in iframes

How are you injecting your content scripts? If you're using page-mod you should be able to restrict injection to a specific set of urls.
<<

haxapp

Posts: 18

Joined: Thu Aug 04, 2011 5:17 pm

Post Wed Aug 31, 2011 1:42 pm

Re: Prevent content scripts to be injected in iframes

Using pageMods. How can I restrict content scripts to run in all urls, but only in top frames?
<<

haxapp

Posts: 18

Joined: Thu Aug 04, 2011 5:17 pm

Post Wed Aug 31, 2011 1:44 pm

Re: Prevent content scripts to be injected in iframes

Btw, I am trying the infamous framebuster script to try to detect frames but using window.top.location.href == window.location.href is not giving me the right result, matter of fact both are giving me the topmost url.
<<

kwierso

Posts: 116

Joined: Mon Jul 04, 2011 12:26 pm

Post Wed Aug 31, 2011 2:17 pm

Re: Prevent content scripts to be injected in iframes

haxapp wrote:Btw, I am trying the infamous framebuster script to try to detect frames but using window.top.location.href == window.location.href is not giving me the right result, matter of fact both are giving me the topmost url.

What about window.top == window.self ?
<<

haxapp

Posts: 18

Joined: Thu Aug 04, 2011 5:17 pm

Post Wed Aug 31, 2011 2:31 pm

Re: Prevent content scripts to be injected in iframes

Nop, not working. Looks like 'self' gets hijacked by an addon object and it does not provide a location.href value. Also window and window.top for some weird reason point to the same object, which in real life they shouldn't, addon sdk bug perhaps?

But trying to solve this issue within the content script is not the best way, since I am loading jquery and some other huge scripts it is really inefficient to load them all for every iframe instance. I think it should be solved on the main.js side in the pagemod object, avoiding the injection from there. Is there an onBeforeAttach method? That may solve it if we can access the iframe's window.location.href before injecting scripts and comparing it to the tab.url and returning false in such case, so no scripts are injected. But then again, google chrome saves us all from that pain with just one property of the pagemod as stated before.

Any other ideas?
<<

haxapp

Posts: 18

Joined: Thu Aug 04, 2011 5:17 pm

Post Wed Aug 31, 2011 2:35 pm

Re: Prevent content scripts to be injected in iframes

To test this issue, just place a console.log('Content script loading for url: ',window.location.href) at the top of your content script and go to techcrunch. Check your console go nuts.
<<

canuckistani

Posts: 47

Joined: Fri Jul 29, 2011 1:43 pm

Post Wed Aug 31, 2011 2:54 pm

Re: Prevent content scripts to be injected in iframes

haxapp wrote:Btw, I am trying the infamous framebuster script to try to detect frames but using window.top.location.href == window.location.href is not giving me the right result, matter of fact both are giving me the topmost url.


If you are running in a contentScript, this might be:

  Code:
if (unsafeWindow.top.location.href == unsafeWindow.location.href) {

}
<<

kwierso

Posts: 116

Joined: Mon Jul 04, 2011 12:26 pm

Post Wed Aug 31, 2011 3:23 pm

Re: Prevent content scripts to be injected in iframes

This works for me:
  Code:
if(unsafeWindow.self == unsafeWindow.top) {
  //do stuff
}
<<

haxapp

Posts: 18

Joined: Thu Aug 04, 2011 5:17 pm

Post Wed Aug 31, 2011 3:30 pm

Re: Prevent content scripts to be injected in iframes

Good, at least we can know when not to run the content scripts, but it would be better to know when not to inject them. We're one step closer. Thanks guys.
<<

canuckistani

Posts: 47

Joined: Fri Jul 29, 2011 1:43 pm

Post Thu Sep 01, 2011 10:16 am

Re: Prevent content scripts to be injected in iframes

haxapp wrote:Good, at least we can know when not to run the content scripts, but it would be better to know when not to inject them. We're one step closer. Thanks guys.


I think this might be generally useful for page-mod development to be able to optionally limit page-mod injections to the top document in a tab. Again, the use case would be - all pages, but only top-level pages?

Would you mind adding a bug for this, and cc me?

https://bugzilla.mozilla.org/enter_bug. ... d-on%20SDK

Edit: I should add, it feels super hacky to me that we need to use unsafeWindow here, it should be easier to target page-mods or, at least in your content script, to be able to detect things like this.
<<

haxapp

Posts: 18

Joined: Thu Aug 04, 2011 5:17 pm

Post Thu Sep 01, 2011 2:35 pm

Re: Prevent content scripts to be injected in iframes

"the use case would be - all pages, but only top-level pages?"

Exactly, we don't want our scripts to be injected in all iframes of the page (most of them are useless ads if not all) but there should always be an option to let the dev decide: [ all | top | filter ] being top frame the default.

I am new to filing bugs so didn't know how to cc you, here is the link
https://bugzilla.mozilla.org/show_bug.cgi?id=684047
<<

canuckistani

Posts: 47

Joined: Fri Jul 29, 2011 1:43 pm

Post Thu Sep 01, 2011 3:04 pm

Re: Prevent content scripts to be injected in iframes

Awesome, thanks!

We might lean in favour of the opinion that add-on developers should implement guards against where & how their content scripts are loaded, but we definitely need to make it easier to do that than using unsafeWindow.
Last edited by canuckistani on Thu Sep 08, 2011 7:48 am, edited 1 time in total.
<<

haxapp

Posts: 18

Joined: Thu Aug 04, 2011 5:17 pm

Post Thu Sep 01, 2011 3:37 pm

Re: Prevent content scripts to be injected in iframes

Absolutely, that's why this issue should be dealt with in the main.js side, not the content side. Adding an option to the page-mod constructor like

  Code:
modder = PageMod({
  include: '*',
  frames: 'all | top | *.myfilter.org',
  contentScriptWhen : 'ready',
  contentScriptFile : [ myscripts,... ]
})


that way there is no need to check unsafeWindows or other tricky hacks.
<<

haxapp

Posts: 18

Joined: Thu Aug 04, 2011 5:17 pm

Post Thu Sep 01, 2011 4:14 pm

Re: Prevent content scripts to be injected in iframes

So this is what I am doing as a workaround, my pagemod only injects a decoy that checks if unsafeWindows top and self are the same, if so, sends a message to main to load the rest of the scripts, ignoring all other frames:

  Code:
content = pageMod.PageMod({
  include: '*',
  contentScriptWhen : 'ready',
  contentScript :
    'if(unsafeWindow.top==unsafeWindow.self){'+
      'self.postMessage({action:"content.load"})'+
    '} else { console.log("AN IFRAME!!1! AAARGH") }'
})


Now if I visit techcrunch, I see almost 30 log entries for iframes, and the scripts are only loaded once.

If anybody knows a better workaround feel free to post it here.
<<

tristang

Posts: 21

Joined: Thu Jul 28, 2011 12:38 am

Post Tue Sep 27, 2011 5:09 pm

Re: Prevent content scripts to be injected in iframes

Looks like you've already found a way forward, but here's how I handled this issue recently:

  Code:
 
   if (window.frameElement === null){
     self.port.emit('amTopmostFrame');
  }


This seems to work reliably without having to use unsafeWindow.

Return to Add-on SDK & Add-on Builder

Who is online

Users browsing this forum: No registered users

cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group.
CA Gen2 style designed by Vjacheslav Trushkin.