window.openDialog is missing

Hi!
I want to use in webextension window.openDialog but get error “window.openDialog is not a function”.
I have tried in but without success:

  1. options page/options script
  2. content script
  3. background script.

How can I use it?

Regards,

Dimitar Angelov

In WebExtensions your code is executed in a normal window JS environment. The only special thing you get is the browser/chrome API.

Can you use browser action instead?

My end goal was to use nsIPermissionManager in webextension
Now I’m not sure is that the proper way?
On my old XPCOM extension in the options page I was placed button calling permission manager .
The calling code is using window.openDialog to open permission manager with specific parameters.
The first problem was that window.openDialog is missing, that is main reason for my post.
Today I have found another problem I even can’t open chrome://browser/content/preferences/permissions.xul from extension (access denied to this file).
My conclusion is that I’m on wrong way.
The big question to find answer is how to implement host based access control to functionality of webextension?
The old jsPrintSetup XPCOM extension was done Security Access Control using permission manager. For webextension this is not solution?

Didn’t we make this very clear already? You can’t use XUL, or any privileged JavaScript APIs.

In WebExtensions your code is executed in a normal window JS environment.

You can do everything websites can, only that a few restrictions that websites have when using these APIs are/can be dropped (e.g. with the correct host-permissions you can use XHR and fetch without CORS).

The only special thing you get is the browser/chrome API.

And that is it. If what you want is not in there or a normal web API, you won’t get it.

In conclusion, that means that you have to implement whatever exactly it is you mean by “host based access control” completely yourself.

I think this is what you want to do: Have a way for users to specify a set of hosts on which you want to expose a special API (a bunch of functions) to all website contexts of matching hosts.

If that is the case, then you will need some UI you create yourself with publicly available web technologies so that users can manage that list. Save it to browser.storage.local or .sync.

And now you have three options:

  1. In the background script, listen for webNavigation events of the matching hosts (specify a matching filter or do the filtering yourself). and use browser.tabs.executeScript() to (asynchronously) expose your API to those pages.

  2. Specify a "content_scripts" entry in your manifest for "<all_urls>". In that content script, (asynchronously) get the host list, check the current host against that list and expose your API if it matches.

  3. Specify a "content_scripts" entry in your manifest for "<all_urls>". In that content script, expose your API to all pages, regardless of the current host. Do run time checks of the host in the background if your API actually gets called.

None of these methods is perfect:

  1. Can be implemented quite efficient, especially if you only expect a small fraction of the visited pages, but your API will appear asynchronously on the page. It may, but may be injected before or after DOMContentLoaded (or any other reference point. That is simply not defined. Also, you will probably run into trouble with the BF-cache.

  2. Less efficient if your content script bails out for the majority of the pages. Also asynchronous, but usually faster. You will probably always inject your API before DOMContentLoaded. BF-cache is fine.

  3. API very very likely injected before the first page script is executed, so asynchronicity shouldn’t be a problem. But privacy is. Every website will be able to check if a user has your extension installed.

I have spent a lot of time trying to solve this problem. I tried to write an add-on that removes/manipulates page APIs for privacy reasons. I have literally spent weeks on the topic.
In regards to that extension my final conclusion was that it is not possible to implement that well enough to actually increase privacy. If there is even a single way for websites to obtain the original API, the entire extension is pointless.
You have the problem inversed. If in doubt, the websites will work with you, because they want your API.
One of the ways described above should work for you.

Thank you for detailed explanation!
I’ve found answers.