Initializing Scripts and MutationObserver

Discussions about the development and maturation of the platform code (UXP).
Warning: may contain highly-technical topics.

Moderators: trava90, athenian200

User avatar
RealityRipple
Keeps coming back
Keeps coming back
Posts: 765
Joined: 2018-05-17, 02:34
Location: Los Berros Canyon, California
Contact:

Initializing Scripts and MutationObserver

Unread post by RealityRipple » 2024-11-27, 18:02

While I was working on creating a new extension, I was experimenting with DOM replacement during document rendering using a MutationObserver, and ran into a bit of a behavioral difference. A user on StackOverflow was messing with similar timing, and the answer's example code exposed a slight difference in functionality:

https://stackoverflow.com/questions/45121792/

In other browsers, the MutationObserver is capable of catching a <script> element's creation and removing the script before it begins running, even if it still downloads the file. However, in UXP browsers, the element is removed, but the script is still loaded and run afterwards. I have no idea if this would affect any real-world code; it's a particularly nasty methodology for intercepting scripts, and I definitely won't be using it personally, but I thought it'd be a good idea to mention it, in case anyone else in the future runs into the same thing.

It also brings up the possibility that looking in the DOM for currently existing scripts is not sufficient - a content script could be loaded and running, with no visible presence in the DOM.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 36719
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Initializing Scripts and MutationObserver

Unread post by Moonchild » 2024-11-27, 18:49

RealityRipple wrote:
2024-11-27, 18:02
It also brings up the possibility that looking in the DOM for currently existing scripts is not sufficient - a content script could be loaded and running, with no visible presence in the DOM.
Since Shadow DOM became a thing, relying on the DOM to find all content scripts is no longer a reliable method, period. Closed shadow trees are completely invisible to the main document.
{{This headspace for lease}}
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

User avatar
Bilbo47
Lunatic
Lunatic
Posts: 276
Joined: 2017-11-18, 04:24

Re: Initializing Scripts and MutationObserver

Unread post by Bilbo47 » 2024-12-06, 18:55

How is a shadow DOM not a security threat, with code-etc doing things behind the browser's back? Like, why do browsers even look at a DOM that's not a real document? [Lookup] Okay, so some elements have hidden pockets, thus the server not the browser decides how sub-elements are rendered, basically stealing the reason for browsers to exist ... what am I missing about why this is not a Badde Thinge?

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 36719
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Initializing Scripts and MutationObserver

Unread post by Moonchild » 2024-12-06, 20:59

The rabbit hole actually goes even deeper than that.
It's a miracle it actually all still works because of how precarious this is and how a lot of it feels like it was just implemented to try and hammer things back shut after making a massive hole with a spike trap at the bottom.
{{This headspace for lease}}
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

Post Reply