unsafeWindow cannot call GM_xmlhttpRequest (firefox security update for unsafewindow) ff-30+
https://blog.mozilla.org/addons/2014/04/10/changes-to-unsafewindow-for-the-add-on-sdk/ **Who’s affected?** (also includes scripts with GM_xmlhttpRequest's in an unsafewindow) Add-on SDK-based add-ons that use unsafeWindow or window.wrappedJSObject in content scripts to share JavaScript objects with the scripts loaded by a web page will be broken by this change.
**The workaround** In the short term, there’s a new option in package.json called “unsafe-content-script” under the “permissions” key. By setting it to true you can revert to the old behavior:
"permissions": { "unsafe-content-script": true }
However, this is only a temporary fix to enable your add-on to keep working while you update to the new APIs. We will deprecate and eventually remove this flag.
**The real fix** The real fix is to use three new APIs to share objects and functions with web content: cloneInto(), exportFunction(), and createObjectIn(). All three of these functions are made available to content scripts as globals.
(be aware that the workaround may be removed when a stable release of firefox 31 or 32 is released, greasemonkey 2.0 also implements these new security features and is up for release after mozilla review is complete) https://addons.mozilla.org/en-US/firefox/addon/greasemonkey/versions/
unsafeWindow cannot call GM_xmlhttpRequest (firefox security update for unsafewindow) ff-30+
https://blog.mozilla.org/addons/2014/04/10/changes-to-unsafewindow-for-the-add-on-sdk/
**Who’s affected?** (also includes scripts with GM_xmlhttpRequest's in an unsafewindow)
Add-on SDK-based add-ons that use unsafeWindow or window.wrappedJSObject in content scripts to share JavaScript objects with the scripts loaded by a web page will be broken by this change.
**The workaround**
In the short term, there’s a new option in package.json called “unsafe-content-script” under the “permissions” key. By setting it to true you can revert to the old behavior:
"permissions": {
"unsafe-content-script": true
}
However, this is only a temporary fix to enable your add-on to keep working while you update to the new APIs. We will deprecate and eventually remove this flag.
**The real fix**
The real fix is to use three new APIs to share objects and functions with web content: cloneInto(), exportFunction(), and createObjectIn(). All three of these functions are made available to content scripts as globals.
(be aware that the workaround may be removed when a stable release of firefox 31 or 32 is released, greasemonkey 2.0 also implements these new security features and is up for release after mozilla review is complete)
https://addons.mozilla.org/en-US/firefox/addon/greasemonkey/versions/