Version & Compatibility
Supported browsers, manifest flavors, permissions, frame/CSP boundaries, and how contracts stay stable between releases.
Version 7.10.1 · Canonical envelopes · Firefox ✓ · Chrome (MV3) planned · Stable contracts since 7.5
v7.10.1
Use the canonical ask(action, args) helper
<script>
const ADMIN_ORIGIN='admin', EXT_ORIGIN='extension';
let _seq=0, _waiters=new Map();
addEventListener('message', (e) => {
const d=e.data; if(!d||typeof d!=='object') return;
if(d.origin!==EXT_ORIGIN) return;
if(d.requestId && _waiters.has(d.requestId)) { _waiters.get(d.requestId)(d); _waiters.delete(d.requestId); }
});
function ask(action, args={}, timeoutMs=12000){
const requestId='r'+(++_seq);
postMessage({ origin:ADMIN_ORIGIN, type:'RTO_REQUEST', requestId, action, args }, '*');
return new Promise((resolve,reject)=>{
const t=setTimeout(()=>{ _waiters.delete(requestId); reject(Object.assign(new Error('timeout'),{ code:'TIMEOUT' })); }, timeoutMs);
_waiters.set(requestId, (resp)=>{ clearTimeout(t); resolve(resp); });
});
}
</script>Keep this identical on all pages so behavior is predictable for developers.
2) Browser & Feature Support Matrix
| Capability | Firefox (≥110, MV2) | Chrome (MV3) | Notes |
|---|---|---|---|
| Open / Navigate remote tab | Supported | Planned | HTTPS-only. http://, file:// and javascript: are blocked. |
| Focus / focusByUrl / focusByPrefix | Supported | Planned | Some OS/window managers may need a second focus call after new window creation. |
| getUrl / getTitle | Supported | Planned | Returns error if no controlled tab exists (NO_CONTROLLED_TAB). |
| DOM actions (type, setValue, click, select, submit, waitFor) | Supported | Planned | Run in page context; sensitive fields guarded (FORBIDDEN). |
| DOM visuals (domSetStyle, highlight) | Supported | Planned | Whitelist + !important for safe cues; auto-restore highlight. |
| selectSetValue / getHtml (extended) | Supported | Planned | Reads one of outerHTML|innerHTML|textContent|innerText|value; sensitive reads blocked. |
| runJs (page-side snippets) | Supported | Planned | Short snippets; failures surface as EXECUTION_ERROR. |
| Allow-list (deny-by-default) | Supported | Planned | User adds hosts via popup; wildcards like *.example.com allowed. |
| Optional Request Blocking (WRB) | MV2 optional | Not used | Off by default; scoped to controlled tab; keep OFF for store builds. |
| All-frames content script | Supported | Planned | Cross-origin iframes remain isolated by design (SOP). |
Tip: gray out “Remote” UI until a ping → pong succeeds (see Detect the Extension).
3) MV2 / MV3 differences
- Firefox MV2 (current): full core feature set; optional WRB helper (disabled by default).
- Chrome MV3 (in progress): same message contract; core features target parity.
- Compatibility goal: the same admin code works across browsers; MV3 avoids MV2-only helpers like WRB.
4) Permissions & Policies
4.1 Allow-list policy (deny-by-default)
- Actions run only on hosts the user added in the extension popup.
- Wildcards supported:
*.example.com(cover subdomains). - Blocked schemes & scopes:
http://,file://,javascript:, and local/LAN ranges (e.g.,localhost,127.0.0.1,192.168.x.x). - To test intranet/localhost safely, follow the LAN page (double barrier + explicit allow-list).
- Auto-resume: on
DOMAIN_NOT_ALLOWED, the extension shows its banner; after “Add”, the pending action resumes with the originalfocusflag.
4.2 Sensitive-field guard
- Reads/writes to password-like or flagged inputs are blocked.
- Surfaced as
ok:falsewitherror.code:"FORBIDDEN". - Design flows to avoid secrets extraction; prefer server tokens or user prompts.
5) Focus behavior
By default, open/navigate bring the remote tab to the foreground. You can override or suppress once.
<script type="module">
await ask('open', { url:'https://example.com', focus:false });
await ask('suppressNextFocus');
await ask('navigate', { url:'https://example.com/dashboard' });
await ask('focusMaster'); // return to admin
</script>On some desktops, a second focus right after creating a new window provides more reliable activation.
6) Frames & CSP boundaries
- All-frames injection: same-origin frames are covered when host permissions allow it.
- Cross-origin iframes: not accessible by design; navigate the remote tab directly to that origin instead.
- CSP:
runJsexecutes in the page context; strict CSP may block certain constructs; failures surface asEXECUTION_ERROR.
7) Error-code stability (since 7.5)
| Code | Meaning | Typical fix |
|---|---|---|
INVALID_URL | Malformed / disallowed scheme | Use absolute https://; never http://, javascript: or file:// |
NO_CONTROLLED_TAB | No remote tab yet | Call open/navigate first |
DOMAIN_NOT_ALLOWED | Host not in Allow-list | Guide user to add domain; retry |
ELEMENT_NOT_FOUND | Selector mismatch | waitFor or fix selector |
TIMEOUT | Wait exceeded | Increase timeoutMs; backoff; probe readiness |
FORBIDDEN | Sensitive field protection | Avoid reading/writing secrets |
EXECUTION_ERROR | Snippet threw in page | Harden code; guard for nulls; check console |
Minor releases add fields but do not remove existing ones. Treat unknown fields as optional.
8) Upgrade guide
- Keep the helper identical across pages (
ask(action,args)+requestId+ timeouts). - Probe on load with
pingand hide “Remote” UI until a reply is observed. - Allow-list UX: on
DOMAIN_NOT_ALLOWED, show a friendly banner and a clear “Try again”. - Assert before act: verify URL/title, then
waitForbefore DOM changes. - Log durations and statuses in a lightweight console to speed up QA.
Safe default: when unsure after an update, start with read-only probes (
getUrl, getTitle) and visible UI prompts.9) Known limitations
- Cross-origin iframes cannot be automated.
- File inputs cannot be set programmatically (browser security).
- Focus may be throttled by some window managers after tab creation.
- Local/LAN targets and
file:///javascript:schemes are blocked by design.
10) FAQ
| Question | Answer |
|---|---|
| Do I need different code for Firefox vs Chrome? | No. The request/response contract is the same. Chrome MV3 work is ongoing; avoid MV2-only helpers like WRB. |
| Will 7.10.1 break older admin pages? | No. Contracts are stable; new fields are additive. See Full API Reference. |
| Why does my first action fail right after install? | Content scripts may still be warming up. Add a short ping retry (see Detect page). |
We allowed example.com but app.example.com fails. |
Add the exact host or use a wildcard (e.g., *.example.com), according to your policy. |
Need help writing safe flows?Next Pages
| Page | Description |
|---|---|
| Start | Overview, how it works, setup, quick start, and links to all sections. |
| Detect the Extension | Detection contract (ping/pong), install prompts, and graceful fallbacks when the extension isn’t present. |
| Allow-list & Permissions | Deny-by-default model, domain allow-list via popup, and suggested UX to guide users to enable hosts. |
| LAN / Localhost | How to safely enable intranet/localhost (double barrier + allow-list). |
| Remote Tab Control | Open/navigate/focus the controlled tab, read URL/title, select an existing tab, lifecycle & restore patterns. |
| DOM & Automation | Action catalog (type, setValue, click, select, submit, waitFor) and safe interaction tips. |
| Recipes & Flows | Copy-paste flows: resilient login, dashboard checks, table waits, filters, playlists, and allow-list banners. |
| Events | Event stream reference, subscription helpers, live logger widget, and basic metrics/durations collection. |
| Diagnostics | Inline console, error cookbook, QA self-check, and performance tips for troubleshooting flows quickly. |
| Full API Reference | Canonical message envelopes, request/response schemas, error codes, and return shapes for every action. |
| Compatibility | Supported browsers/versions, permissions nuances, CSP/iframe notes, and known limitations or workarounds. |
| Advanced Patterns | Idempotent flows, retries/backoff, state restore after reload, playlist strategies, and robust selectors. |
| Favorites | Star and group URLs, quick actions (open/focus/navigate), export/import sets, and playlist runs from favorites. |
| Real-World Flows (E2E) | Run end-to-end flows from your admin page: helper setup, modern message contract, copy-paste journeys (login, multi-tab, extract), lightweight assertions, best practices, and troubleshooting. |