While I was working on creating a new extension, I was experimenting with DOM replacement during document rendering using a MutationObserver, and ran into a bit of a behavioral difference. A user on StackOverflow was messing with similar timing, and the answer's example code exposed a slight difference in functionality:
https://stackoverflow.com/questions/45121792/
In other browsers, the MutationObserver is capable of catching a <script> element's creation and removing the script before it begins running, even if it still downloads the file. However, in UXP browsers, the element is removed, but the script is still loaded and run afterwards. I have no idea if this would affect any real-world code; it's a particularly nasty methodology for intercepting scripts, and I definitely won't be using it personally, but I thought it'd be a good idea to mention it, in case anyone else in the future runs into the same thing.
It also brings up the possibility that looking in the DOM for currently existing scripts is not sufficient - a content script could be loaded and running, with no visible presence in the DOM.
Initializing Scripts and MutationObserver
Moderators: trava90, athenian200
- RealityRipple
- Keeps coming back
- Posts: 765
- Joined: 2018-05-17, 02:34
- Location: Los Berros Canyon, California
- Contact:
Re: Initializing Scripts and MutationObserver
Since Shadow DOM became a thing, relying on the DOM to find all content scripts is no longer a reliable method, period. Closed shadow trees are completely invisible to the main document.RealityRipple wrote: ↑2024-11-27, 18:02It also brings up the possibility that looking in the DOM for currently existing scripts is not sufficient - a content script could be loaded and running, with no visible presence in the DOM.
{{This headspace for lease}}
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
Re: Initializing Scripts and MutationObserver
How is a shadow DOM not a security threat, with code-etc doing things behind the browser's back? Like, why do browsers even look at a DOM that's not a real document? [Lookup] Okay, so some elements have hidden pockets, thus the server not the browser decides how sub-elements are rendered, basically stealing the reason for browsers to exist ... what am I missing about why this is not a Badde Thinge?
Re: Initializing Scripts and MutationObserver
The rabbit hole actually goes even deeper than that.
It's a miracle it actually all still works because of how precarious this is and how a lot of it feels like it was just implemented to try and hammer things back shut after making a massive hole with a spike trap at the bottom.
It's a miracle it actually all still works because of how precarious this is and how a lot of it feels like it was just implemented to try and hammer things back shut after making a massive hole with a spike trap at the bottom.
{{This headspace for lease}}
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite