This may be rather stupid question, and I apologize if so; but is it possible to have an extension install including a “pre-loaded” indexedDB database?
If the data is included in the manifest as a text file, can it be auto-loaded into the extension database without making another step for the user?
Thank you for considering my question.
Sure, you can write code that inserts data into the indexedDB.
Thank you. May I ask a related question please?
Can a file be added to the manifest for a specific set of users only, such as those that “register” their copy or choose to add additional features? The initial installed extension would be a default load and then, after registering, the user could choose which components to load and the required files would be added to that user’s manifest.
Otherwise, the necessary content, such as JS scripts, could be sent from the server and stored in the extension’s indexedDB, as long as the db consistently persists instead of being deleted frequently requiring the user to go through the process repeatedly.
The question may sound a bit odd but I’ve been working on this project for over two years and it keeps growing, and I keep moving back and forth between keeping it an extension or using node/Electron. I’d rather keep it an extension but, since the extension allows users to build and share “modules” that can be “played/executed”, I’m trying to find a reasonable way to protect what they build and share so that they can be executed only and not changed. Only to a reasonable level.
I came across some information about XULRunner the other day and thought that would be perfect for what I need to do and then found that it has been deprecated, without anything similar.
Thank you.
Your extension should not run any JS it has downloaded itself. See https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/AMO/Policy/Reviews#Development_Practices
What you could do is have an unlisted extension with the extra features that you only distribute to people that pay your license and then use communication to interface between the two. Or just have a completely separate “pro” version. I think that should be fine?
Thank you for the warning and suggestions. I hadn’t thought of it as running remote code because I was thinking of it as initializing a database upon registration because it would be performed only once and no remote scripts would ever be downloaded and executed; but I certainly see your point and didn’t much care for my idea anyway.
In your first suggestion, do you mean there can be two extensions that communicate with one another, such that the listed one could possibly be the module player side and the unlisted the build side? I never would have thought of that.
Yes exactly that. See
and friends.
Thank you. I was looking over some of the APIs when reading the link you provided and came across this information.
There is a bullet that reads:
“Allow the extension to load scripts and objects from outside its package, by supplying their URL in the
script-srcorobject-srcdirectives.”
It looks like these two documents, that is, the Development Practices and the Content Security Policy state differing rules? Do you agree or am I misunderstanding something.
Thank you.
CSP is a very generic concept. The API documentation also tries to be as distanced from actual Firefox practices as possible. It also mentions CSP things you can’t use at all.
Thank you for the explanation.
Just to make sure I understand, may I please ask one final follow-up question for clarification?
If, after installation of an extension, a server request is made to the home page in the manifest of the extension that verifies purchase and, if successful, responds with text of a script of custom "library"functions to be stored in the extension’s database and used later through browser.tabs.executeScript for a particular functionality, that would be considered an unsafe and unacceptable practice?
The script wouldn’t be run in the background script or page, but only in a non-extension page.
I suppose it isn’t possible to provide those scripts for review in advance because, even if the scripts were deemed safe, there’s no way to monitor that the scripts approved would always be the only scripts passed by the server.
Please know that I’m not trying to complain about it, I just want to make sure I’m interpreting the rules and your comments correctly; and I understand that it is a difficult task to ensure that an extension is safe and that doing so requires limitations.
Thank you.