Since LibertyBear v2.10.0, a new type of metadata named
@inject-into is introduced. With its help, scripts can be injected into CSP restricted pages in Firefox now!
As we know, there are two types of context for a script to execute in:
context of a web page
The context in which all scripts of a web page execute. We will call it "page context" later.
context of content scripts
The context in which content scripts execute. We will call it "content context" later.
In earlier versions of LibertyBear, all scripts will be injected into the page context.
@inject-into, userscripts can be injected in Firefox now. In pages with CSP restrictions, we can inject userscripts into the content context.
This is the default mode, as the behavior in LibertyBear v2.9.x.
unsafeWindow refers to
window of the web page.
// ==UserScript== // ... // @inject-into page // ==/UserScript== // `@inject-into` should be set to `page` since we need to access `window` of page context. // Accessing objects attached to `window` of page alert('Hi, ' + unsafeWindow.context.user);
// ==UserScript== // @inject-into content // ==/UserScript==
In this mode, scripts will be injected into the content context.
unsafeWindow refers to the
global object of content context.
unsafeWindow.jQuery becomes inaccessible even if jQuery is introduced in the page.
// ==UserScript== // @inject-into auto // ==/UserScript==
In this mode, scripts will be injected into the page context if possible. If blocked by CSP, they will be injected into the content context. It is the script author's job to check the environments.
By default, a script will try to execute in the page context. In Firefox, this may fail in CSP restricted pages.
You can change the default behavior in the settings tab of LibertyBear. By changing the default injection mode to
auto, scripts that do not depend on traditional
unsafeWindow will work again in Firefox.