Bug-2011234: remove the ability to dynamically execute code in moz-extension: documents (mdn#43108)

* Bug-2011234: remove the ability to dynamically execute code in `moz-extension:` documents

* Apply suggestions from linter

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Apply suggestions from review

Co-authored-by: Rob Wu <rob@robwu.nl>

* Apply suggestions from review

Co-authored-by: Rob Wu <rob@robwu.nl>

* Apply suggestion from @Rob--W

Co-authored-by: Rob Wu <rob@robwu.nl>

* Apply suggestion from @Rob--W

Co-authored-by: Rob Wu <rob@robwu.nl>

* Further clarifications of dynamic code execution in extension documents

* Apply suggestions from review

Co-authored-by: Rob Wu <rob@robwu.nl>

* Further feedback related changes

* typo

* Further feedback changes

* Apply suggestions from @Rob--W review

Co-authored-by: Rob Wu <rob@robwu.nl>

* Minor corrections

* Reapply deletion

---------

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Rob Wu <rob@robwu.nl>

Author: 3 people

files/en-us/mozilla/add-ons/webextensions/api/runtime/onmessage/index.md

@@ -14,6 +14,7 @@ Some example use cases are:
 - **in a background script** to listen for messages from a content script.
 - **in an [options page or popup](/en-US/docs/Mozilla/Add-ons/WebExtensions/Anatomy_of_a_WebExtension#sidebars_popups_and_options_pages) script** to listen for messages from a background script.
 - **in a background script** to listen for messages from an options page or popup script.
+- **in a script in an [extension page](/en-US/docs/Mozilla/Add-ons/WebExtensions/user_interface/Extension_pages)** to listen for messages requesting the execution of code in the page's scripts.
 
 To send a message that is received by the `onMessage()` listener, use {{WebExtAPIRef("runtime.sendMessage()")}} or (to send a message to a content script) {{WebExtAPIRef("tabs.sendMessage()")}}.
 

files/en-us/mozilla/add-ons/webextensions/api/scripting/executescript/index.md

@@ -11,13 +11,13 @@ Injects a script into a target context. The script is run at `document_idle` by
 > [!NOTE]
 > This method is available in Manifest V3 or higher in Chrome and Firefox 101. In Safari and Firefox 102+, this method is also available in Manifest V2.
 
-To use this API you must have the `"scripting"` [permission](/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/permissions) and permission for the target's URL, either explicitly as a [host permission](/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/permissions#host_permissions) or using the [activeTab permission](/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/permissions#activetab_permission). Note that some special pages do not allow this permission, including reader view, view-source, and PDF viewer pages.
+To use this API you must have the `"scripting"` [permission](/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/permissions) and permission for the target's URL, either explicitly as a [host permission](/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/permissions#host_permissions) or using the [activeTab permission](/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/permissions#activetab_permission). Note that some special pages do not allow this permission, including reader view, view-source, PDF viewer, and other built-in browser UI pages.
 
 In Firefox and Safari, partial lack of host permissions can result in a successful execution (with the partial results in the resolved promise). In Chrome, any missing permission prevents any execution from happening (see [Issue 1325114](https://crbug.com/1325114)).
 
 The scripts you inject are called [content scripts](/en-US/docs/Mozilla/Add-ons/WebExtensions/Content_scripts).
 
-This is an asynchronous function that returns a [`Promise`](/en-US/docs/Web/JavaScript/Reference/Global_Objects/Promise).
+Extensions cannot run content scripts in [extension pages](/en-US/docs/Mozilla/Add-ons/WebExtensions/user_interface/Extension_pages). If an extension wants to run code in an extension page dynamically, it can include a script in the document. This script contains the code to run and registers a {{WebExtAPIRef("runtime.onMessage")}} listener that implements a way to execute the code. The extension can then send a message to the listener to trigger the code's execution.
 
 ## Syntax
 

files/en-us/mozilla/add-ons/webextensions/api/tabs/executescript/index.md

@@ -11,28 +11,17 @@ Injects JavaScript code into a page.
 > [!NOTE]
 > When using Manifest V3 or higher, use {{WebExtAPIRef("scripting.executeScript()")}} to execute scripts.
 
-You can inject code into pages whose URL can be expressed using a [match pattern](/en-US/docs/Mozilla/Add-ons/WebExtensions/Match_patterns). To do so, its scheme must be one of: `http`, `https`, or `file`.
+You can inject code into pages whose URL you can express using a [match pattern](/en-US/docs/Mozilla/Add-ons/WebExtensions/Match_patterns). To do so, its scheme must be one of: `http`, `https`, or `file`.
 
-You must have the permission for the page's URL—either explicitly, as a [host permission](/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/permissions#host_permissions)—or, via the [activeTab permission](/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/permissions#activetab_permission). Note that some special pages do not allow this permission, including reader view, view-source, and PDF viewer pages.
+You must have the permission for the page's URL either explicitly, as a [host permission](/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/permissions#host_permissions), or using the [activeTab permission](/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/permissions#activetab_permission). Note that some special pages do not allow this permission, including reader view, view-source, PDF viewer, and other built-in browser UI pages.
 
-You can also inject code into pages packaged with your own extension:
+Extensions cannot run content scripts in [extension pages](/en-US/docs/Mozilla/Add-ons/WebExtensions/user_interface/Extension_pages). If an extension wants to run code in an extension page dynamically, it can include a script in the document. This script contains the code to run and registers a {{WebExtAPIRef("runtime.onMessage")}} listener that implements a way to execute the code. The extension can then send a message to the listener to trigger the code's execution.
 
-```js
-browser.tabs.create({ url: "/my-page.html" }).then(() => {
-  browser.tabs.executeScript({
-    code: `console.log('location:', window.location.href);`,
-  });
-});
-```
-
-You don't need any special permissions to do this.
-
-You _cannot_ inject code into any of the browser's built-in pages, such as: `about:debugging`, `about:addons`, or the page that opens when you open a new empty tab.
+> [!NOTE]
+> The ability to inject code into pages packaged with your extension was deprecated in Firefox 149 and removed in Firefox 152.
 
 The scripts you inject are called [content scripts](/en-US/docs/Mozilla/Add-ons/WebExtensions/Content_scripts).
 
-This is an asynchronous function that returns a [`Promise`](/en-US/docs/Web/JavaScript/Reference/Global_Objects/Promise).
-
 ## Syntax
 
 ```js-nolint
@@ -54,11 +43,11 @@ let executing = browser.tabs.executeScript(
 
     It contains the following properties:
     - `allFrames` {{optional_inline}}
-      - : `boolean`. If `true`, the code will be injected into all frames of the current page.
+      - : `boolean`. If `true`, the code is injected into all frames of the current page.
 
-        If `true` and `frameId` is set, then it will raise an error. (`frameId` and `allFrames` are mutually exclusive.)
+        If set to `true` and `frameId` is set, it raises an error. (`frameId` and `allFrames` are mutually exclusive.)
 
-        If it is `false`, code is only injected into the top frame.
+        If it is `false`, the code is injected only into the top frame.
 
         Defaults to `false`.
 
@@ -81,38 +70,38 @@ let executing = browser.tabs.executeScript(
         Defaults to `0` (the top-level frame).
 
     - `matchAboutBlank` {{optional_inline}}
-      - : `boolean`. If `true`, the code will be injected into embedded `about:blank` and `about:srcdoc` frames if your extension has access to their parent document. The code cannot be inserted in top-level `about:` frames.
+      - : `boolean`. If `true`, the code is injected into embedded `about:blank` and `about:srcdoc` frames if your extension has access to their parent document. The code cannot be inserted in top-level `about:` frames.
 
         Defaults to `false`.
 
     - `runAt` {{optional_inline}}
-      - : {{WebExtAPIRef('extensionTypes.RunAt')}}. The soonest that the code will be injected into the tab.
+      - : {{WebExtAPIRef('extensionTypes.RunAt')}}. The earliest that the code is injected into the tab.
 
         Defaults to `"document_idle"`.
 
 ### Return value
 
-A [`Promise`](/en-US/docs/Web/JavaScript/Reference/Global_Objects/Promise) that will resolve to an array of objects. The array's values represent the result of the script in every injected frame.
+A [`Promise`](/en-US/docs/Web/JavaScript/Reference/Global_Objects/Promise) that resolves to an array of objects. The array's values represent the script's result in each injected frame.
 
-The result of the script is the last evaluated statement, which is similar to what would be output (the results, not any `console.log()` output) if you executed the script in the [Web Console](https://firefox-source-docs.mozilla.org/devtools-user/web_console/index.html). For example, consider a script like this:
+The result of the script is the last evaluated statement, which is similar to the output (the results, not any `console.log()` output) if you executed the script in the [Web Console](https://firefox-source-docs.mozilla.org/devtools-user/web_console/index.html). For example, consider a script like this:
 
 ```js
 let foo = "my result";
 foo;
 ```
 
-Here the results array will contain the string `"my result"` as an element.
+Here, the results array contains the string `"my result"` as an element.
 
 The result values must be [structured cloneable](/en-US/docs/Web/API/Web_Workers_API/Structured_clone_algorithm) (see [Data cloning algorithm](/en-US/docs/Mozilla/Add-ons/WebExtensions/Chrome_incompatibilities#data_cloning_algorithm)).
 
 > [!NOTE]
-> The last statement may be also a [`Promise`](/en-US/docs/Web/JavaScript/Reference/Global_Objects/Promise), but this feature is unsupported by [webextension-polyfill](https://github.com/mozilla/webextension-polyfill#tabsexecutescript) library.
+> The last statement can also a [`Promise`](/en-US/docs/Web/JavaScript/Reference/Global_Objects/Promise), but this feature is unsupported by [webextension-polyfill](https://github.com/mozilla/webextension-polyfill#tabsexecutescript) library.
 
-If any error occurs, the promise will be rejected with an error message.
+If any error occurs, the promise is rejected with an error message.
 
 ## Examples
 
-This example executes a one-line code snippet in the currently active tab:
+This example executes a one-line code snippet in the active tab:
 
 ```js
 function onExecuted(result) {
@@ -131,7 +120,7 @@ const executing = browser.tabs.executeScript({
 executing.then(onExecuted, onError);
 ```
 
-This example executes a script from a file (packaged with the extension) called `"content-script.js"`. The script is executed in the currently active tab. The script is executed in subframes as well as the main document:
+This example executes a script from a file (packaged with the extension) called `"content-script.js"`. The script is executed in the active tab. The script is executed in subframes as well as the main document:
 
 ```js
 function onExecuted(result) {

files/en-us/mozilla/add-ons/webextensions/content_scripts/index.md

@@ -25,10 +25,6 @@ You can load a content script into a web page:
 
 There is only one global scope _per frame, per extension_. This means that variables from a content script can be accessed by any other content scripts, regardless of how the content script was loaded.
 
-Using methods (1) and (2), you can only load scripts into pages whose URLs can be represented using a [match pattern](/en-US/docs/Mozilla/Add-ons/WebExtensions/Match_patterns).
-
-Using method (3), you can also load scripts into pages packaged with your extension, but you can't load scripts into privileged browser pages (like `about:debugging` or `about:addons`).
-
 > [!NOTE]
 > [Dynamic JS module imports](/en-US/docs/Web/JavaScript/Guide/Modules#dynamic_module_loading) are now working in content scripts. For more details, see [Firefox bug 1536094](https://bugzil.la/1536094).
 > Only URLs with the _moz-extension_ scheme are allowed, which excludes data URLs ([Firefox bug 1587336](https://bugzil.la/1587336)).
@@ -79,7 +75,11 @@ The set of domains can be restricted further through enterprise policies: Firefo
 
 ### Limitations
 
-Whole tabs or frames may be loaded using [`data:` URI](/en-US/docs/Web/URI/Reference/Schemes/data), {{DOMxRef("URL.createObjectURL_static", "Blob")}} objects, and other similar techniques. Support of content scripts injection into such special documents varies across browsers, see the Firefox [bug #1411641 comment 41](https://bugzil.la/1411641#c41) for some details.
+By default, content scripts do not run in `about:blank`, `about:srcdoc`, `data:`, and `blob:` pages. To enable their execution, use the [`match_origin_as_fallback`](/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/content_scripts#match_origin_as_fallback) option in the `content_scripts` manifest key or the [`matchOriginAsFallback`](/en-US/docs/Mozilla/Add-ons/WebExtensions/API/scripting/RegisteredContentScript#matchoriginasfallback) option in the `scripting` API.
+
+Extensions cannot inject content scripts into privileged browser UI pages (such as `about:debugging`, `about:addons`, reader view, view-source, or the PDF viewer) or [extension pages](/en-US/docs/Mozilla/Add-ons/WebExtensions/user_interface/Extension_pages).
+
+If an extension wants to run code in an extension page dynamically, it can include a script in the page. This script contains the code to run and registers a {{WebExtAPIRef("runtime.onMessage")}} listener that implements a way to execute the code. The extension can then send a message to the listener to trigger the code's execution.
 
 ## Content script environment
 

files/en-us/mozilla/add-ons/webextensions/manifest.json/host_permissions/index.md

@@ -65,19 +65,6 @@ The extra privileges include:
 - the ability to access cookies for that host using the {{webextAPIref("cookies")}} API, as long as the `"cookies"` API permission is also included.
 - bypassing tracking protection for extension pages where a host is specified as a full domain or with wildcards.
 
-In Firefox extensions get host permissions for their origin, which is of the form:
-
-```url
-moz-extension://60a20a9b-1ad4-af49-9b6c-c64c98c37920/
-```
-
-where `60a20a9b-1ad4-af49-9b6c-c64c98c37920` is the extension's internal ID. The extension can get this URL programmatically by calling {{webextAPIref("extension/getURL", "extension.getURL()")}}:
-
-```js
-browser.extension.getURL("");
-// moz-extension://60a20a9b-1ad4-af49-9b6c-c64c98c37920/
-```
-
 ## Example
 
 ```json