Boris Zbarsky wrote:
Francis Brosnan Blázquez wrote:
Definitely exposing a particular and limited API looks like the right
thing. Is there any document or a working example implementing this
concept?
Firebug does this with their console.* APIs, I believe...
The basic strategy is to add a div element to the web page and a script
tag. The script adds window.console.log() functions. These functions
place strings on the div as attributes then raise an event on the div.
Firebug attached an event listener when it injected the div. The
listener peels off the strings to decide what to print in the Console
tab of Firebug. In that last step you have to be careful to ensure that
you don't run arbitrary code from the page.
Firebug's actually implementation is regrettably less concise. Rarely,
the div injection can interfere with layout. And of course any object
you add will collide with identical names used by pages.
Two other tidbits: 1) there is a way to add global objects into the
Javascript world that is rarely used (I don't know more about it), but
that path requires re-analyzing the security issues. 2) there is work
ongoing to make a must less painful solution, so for prototypes I would
not invest a lot of time on this part of the solution.
jjb
_______________________________________________
dev-tech-network mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-network
