diff --git a/src/bg/LifeCycle.js b/src/bg/LifeCycle.js index 6acee42..7b367ff 100644 --- a/src/bg/LifeCycle.js +++ b/src/bg/LifeCycle.js @@ -241,8 +241,17 @@ var LifeCycle = (() => { if (!UA.isMozilla) { // Chromium does not inject content scripts at startup automatically for already loaded pages, // let's hack it manually. - const contentScripts = browser.runtime.getManifest().content_scripts.find(s => - s.js && s.matches.includes("") && s.all_frames && s.match_about_blank).js; + const contentScripts = browser.runtime + .getManifest() + .content_scripts.find( + (s) => + s.js && + s.matches.includes("") && + s.all_frames && + s.match_about_blank && + // do not expose MAIN world scripts meant to run before untrusted page ones + s.world !== "MAIN" + ).js; await Promise.allSettled((await browser.tabs.query({})).map(async tab => { try { diff --git a/src/manifest.json b/src/manifest.json index 04a53bc..8d2ca30 100644 --- a/src/manifest.json +++ b/src/manifest.json @@ -117,6 +117,18 @@ "content/content.js" ] }, + { + "run_at": "document_start", + "matches": [""], + "match_about_blank": true, + "match_origin_as_fallback": true, + "all_frames": true, + "world": "MAIN", + "js": [ + "/nscl/main/uuid.js", + "/nscl/main/Worlds.js" + ] + }, { "run_at": "document_start", "matches": ["file://*/*", "ftp://*/*"], diff --git a/src/nscl b/src/nscl index 36c31a5..4e9966e 160000 --- a/src/nscl +++ b/src/nscl @@ -1 +1 @@ -Subproject commit 36c31a591adc043c0cab12480440469fa54dd0e6 +Subproject commit 4e9966eeb7b50a68b05c079129a1dc6c666c1c8d