| blob | d4d2f69e9d1e4f96f664715c1e04e6952ae224f7 |
1 /* This Source Code Form is subject to the terms of the Mozilla Public
2 * License, v. 2.0. If a copy of the MPL was not distributed with this file,
3 * You can obtain one at http://mozilla.org/MPL/2.0/. */
5 /* globals catcher, callBackground, content */
6 /** This is a content script added to all screenshots.firefox.com pages, and allows the site to
7 communicate with the add-on */
9 "use strict";
11 this.sitehelper = (function() {
13 // This gives us the content's copy of XMLHttpRequest, instead of the wrapped
14 // copy that this content script gets:
15 const ContentXMLHttpRequest = content.XMLHttpRequest;
17 catcher.registerHandler((errorObj) => {
18 callBackground("reportError", errorObj);
19 });
22 const capabilities = {};
23 function registerListener(name, func) {
24 capabilities[name] = name;
25 document.addEventListener(name, func);
26 }
28 function sendCustomEvent(name, detail) {
29 if (typeof detail === "object") {
30 // Note sending an object can lead to security problems, while a string
31 // is safe to transfer:
32 detail = JSON.stringify(detail);
33 }
34 document.dispatchEvent(new CustomEvent(name, {detail}));
35 }
37 /** Set the cookie, even if third-party cookies are disabled in this browser
38 (when they are disabled, login from the background page won't set cookies) */
39 function sendBackupCookieRequest(authHeaders) {
40 // See https://bugzilla.mozilla.org/show_bug.cgi?id=1295660
41 // This bug would allow us to access window.content.XMLHttpRequest, and get
42 // a safer (not overridable by content) version of the object.
44 // This is a very minimal attempt to verify that the XMLHttpRequest object we got
45 // is legitimate. It is not a good test.
46 if (Object.toString.apply(ContentXMLHttpRequest) !== "function XMLHttpRequest() {\n [native code]\n}") {
47 console.warn("Insecure copy of XMLHttpRequest");
48 return;
49 }
50 const req = new ContentXMLHttpRequest();
51 req.open("POST", "/api/set-login-cookie");
52 for (const name in authHeaders) {
53 req.setRequestHeader(name, authHeaders[name]);
54 }
55 req.send("");
56 req.onload = () => {
57 if (req.status !== 200) {
58 console.warn("Attempt to set Screenshots cookie via /api/set-login-cookie failed:", req.status, req.statusText, req.responseText);
59 }
60 };
61 }
63 registerListener("delete-everything", catcher.watchFunction((event) => {
64 // FIXME: reset some data in the add-on
65 }, false));
67 registerListener("request-login", catcher.watchFunction((event) => {
68 const shotId = event.detail;
69 catcher.watchPromise(callBackground("getAuthInfo", shotId || null).then((info) => {
70 if (info) {
71 sendBackupCookieRequest(info.authHeaders);
72 sendCustomEvent("login-successful", {deviceId: info.deviceId, accountId: info.accountId, isOwner: info.isOwner, backupCookieRequest: true});
73 }
74 }));
75 }));
77 registerListener("request-onboarding", catcher.watchFunction((event) => {
78 callBackground("requestOnboarding");
79 }));
81 registerListener("copy-to-clipboard", catcher.watchFunction(event => {
82 catcher.watchPromise(callBackground("copyShotToClipboard", event.detail));
83 }));
85 registerListener("show-notification", catcher.watchFunction(event => {
86 catcher.watchPromise(callBackground("showNotification", event.detail));
87 }));
89 // Depending on the script loading order, the site might get the addon-present event,
90 // but probably won't - instead the site will ask for that event after it has loaded
91 registerListener("request-addon-present", catcher.watchFunction(() => {
92 sendCustomEvent("addon-present", capabilities);
93 }));
95 sendCustomEvent("addon-present", capabilities);
97 })();
98 null;