Since Violentmonkey v2.8.15, scripts are injected with Blob URLs instead of textContent
in v2.8.13-. Thanks to evilpie, see #246.
Before
In earlier versions, scripts are injected like this:
const s = document.createElement('script');
s.textContent = script;
document.body.appendChild(s);
document.body.removeChild(s);
This way works well on Chrome but does not work on Firefox 57- when page has a limit on inline script by CSP. See bugzilla.
Now
Since Firefox 58, we have a workaround by injecting scripts like this:
const b = new Blob([script], { type: 'text/javascript' });
const u = URL.createObjectURL(b);
const s = document.createElement('script');
s.src = u;
document.body.appendChild(s);
document.body.removeChild(s);
URL.revokeObjectURL(u);
Using Blob URLs instead of textContent
, scripts can be injected to pages on Firefox 58+ too.
Problem
Then we encountered a problem (v2.8.14, #249): sometimes the scripts are not injected at all. After debugging for a while, I figured out what was happening.
First let's take a look at the injection procedure:
- inject an initializer to context of page script
- load userscripts from content script
- post userscripts to the initializer through custom events
- execute userscripts
The problem is, when the userscripts are loaded and posted to the initializer, the initializer may be not ready yet. As a result, the posted userscripts are discarded.
But why won't this happen before?
Because the textContent
way is synchronous while the src
way is asynchronous.
Using the textContent
way, the initializer is initialized synchronously when injected. So the initializer is always ready when the userscripts are loaded.
But when using a Blob URL, the injection becomes asynchronous. Because it has to fetch the real content first. So the initializer may be not ready yet when the userscripts are laoded. Consequently, no userscript is injected.
Here is a demonstration:
{
const s = document.createElement('script');
s.textContent = 'console.log(1)';
document.body.appendChild(s);
document.body.removeChild(s);
}
{
const s = document.createElement('script');
const b = new Blob(['console.log(2)'], { type: 'text/javascript' });
const u = URL.createObjectURL(b);
s.src = u;
document.body.appendChild(s);
document.body.removeChild(s);
URL.revokeObjectURL(u);
}
console.log(3);
By running the code above in a browser (e.g. Chrome), we got output as below:
1
3
2
Conclusion
So we just need to ensure that the initializer is ready when posting userscripts to it.
Finally, it works on Chrome any and Firefox v58+, even on pages with CSP limitations.