[MV2] 针对 WebExtensions API Changes (Firefox 149-152) 做修正

[cyfung1031]

Checklist / 检查清单

• Fixes mentioned issues / 修复已提及的问题
• Code reviewed by human / 代码通过人工检查
• Changes tested / 已完成测试

Description / 描述

• 改 <iframe> 的烂代码
• 拿走没用的 <script> 烂代码
• 修正 content_security_policy 缺失的 'unsafe-eval'
• 兼容 Firefox 但不兼容 Chrome - 改 sandbox="allow-scripts" 为 sandbox="allow-same-origin allow-scripts"

注1： CSP 保留 blob, 因为我们还是会用 URL.createObjectURL(...). 保留以避免出问题。
注2： options.html 那个 sandbox.html 的去留由 CodFrm 决定

Screenshots / 截图

WebExtensions API Changes (Firefox 149-152)

https://blog.mozilla.org/addons/2026/04/23/webextensions-api-changes-firefox-149-152/

Firefox	Area	Change	API / surface affected	Status / behavior	Developer impact / migration notes	Extra discussion / context
149	Security / extension documents	Deprecated dynamic code/CSS injection into moz-extension: documents	tabs.executeScript, tabs.insertCSS, tabs.removeCSS, scripting.executeScript, scripting.insertCSS, scripting.removeCSS	Deprecated in Firefox 149; Nightly blocks it, Beta/Release warn; removal planned for 152. (MDN Web Docs)	Use normal <script> tags, module imports, static scripts, or a runtime.onMessage listener in the extension document to trigger behavior. (Mozilla Blog)	Bugzilla frames this as a security regression/mitigation-bypass: Firefox 56+ unintentionally allowed extensions to run arbitrary strings in privileged extension contexts; Chrome did not. (Bugzilla)
149 → 152	Security / extension documents	Final removal of dynamic injection into moz-extension: documents	Same APIs as above	Removed in Firefox 152 Nightly/release notes; feature was deprecated in 149. (MDN Web Docs)	Same workaround: message an already-loaded extension-page script instead of injecting code/CSS into the extension document. (MDN Web Docs)	Related Bugzilla discussion says Mozilla planned a warning-first rollout, then pref flip; protection was not yet enabled for release in the first fixed bug and tracked separately in bug 2015559. (Bugzilla)
149 / related mitigation	Extension sandboxing	manifest.json sandbox support discussed as replacement path for string execution	Manifest sandbox key	Not listed as a shipped 149–152 release-note item, but directly tied to the executeScript removal work.	For extensions that used the code option because a normal file script was not enough, Mozilla planned sandbox support so string-based execution can happen in unprivileged extension documents. (Bugzilla)	Bugzilla whiteboard moved to design-approved and blocks finalization of the executeScript-in-extension-documents restriction. (Bugzilla)
149	Popup behavior	action.openPopup() and browserAction.openPopup() no longer require a user gesture on desktop	action.openPopup, browserAction.openPopup	Available in Firefox 149 Desktop. (MDN Web Docs)	Popups can be opened from background events such as alarms, native messaging, or internal extension conditions, not only click handlers. (Mozilla Blog)	Bugzilla discussion says this was previously behind extensions.openPopupWithoutUserGesture.enabled; enabling by default required checking cross-browser behavior and adding rejection cases. (Bugzilla)
149	Popup behavior	openPopup({ windowId }) requires the target window to be focused	action.openPopup, browserAction.openPopup, windows.update	Firefox 149 behavior aligned with Chrome. (MDN Web Docs)	To open in an unfocused window, focus it first with windows.update(windowId, { focused: true }). (MDN Web Docs)	Bugzilla discussion says focusing an inactive window automatically was surprising and unsupported by Chrome, so Firefox should reject instead. (Bugzilla)
149	Action API compatibility	Added top-level tabId parameter form for action.isEnabled() / browserAction.isEnabled()	action.isEnabled(tabId), browserAction.isEnabled(tabId)	Firefox 149 release notes list the change; Bugzilla shows fixed for Firefox 149. (MDN Web Docs)	Improves Chrome compatibility and matches action.enable(tabId) / action.disable(tabId) style. (Bugzilla)	Implementation was first backed out for mochitest failures, then relanded and resolved fixed for 149. (Bugzilla)
149	Split View / tabs	Initial Split View exposure in WebExtensions	tabs.Tab.splitViewId, tabs.query, tabs.onUpdated, tabs.move, tabs.remove	Firefox 149 adds initial support and documents behavior for move/remove operations involving split-view tabs. (MDN Web Docs)	Extensions can detect whether a tab is in Split View and react when it joins/leaves one. splitViewId is read-only. (MDN Web Docs)	Bugzilla says the implementation added splitViewId to tabs.Tab and tabs.onUpdated; WECG API proposal was referenced. (Bugzilla)
149	Content-script globals	structuredClone behavior changed for content scripts	structuredClone in content scripts	Firefox changed object instantiation to the this realm; content scripts now get their own structuredClone shadowing window.structuredClone. (MDN Web Docs)	Compatibility safeguard for extensions sharing objects with page scripts. (MDN Web Docs)	Listed in MDN add-on developer notes, not emphasized in the Mozilla blog summary. (MDN Web Docs)
149 → 152	UI / icons	Automatic dark-theme CSS filter for pageAction SVG icons disabled/removed	page_action.default_icon SVGs; dark theme rendering	Disabled in Firefox 149 Nightly; planned/removed for broader Firefox 152. (MDN Web Docs)	Extensions should provide adaptive SVGs using prefers-color-scheme or use theme_icons where appropriate. (Mozilla Blog)	Mozilla says the old grayscale/brightness filter could reduce contrast for multicolor icons and hurt visibility, citing Firefox Multi-Account Containers as an example. (Mozilla Blog)
150	Split View / tabs	tabs.move() can swap tabs inside a split view	tabs.move	Firefox 150 updates split-view move behavior. (MDN Web Docs)	Extensions can reorder the two split-view tabs rather than seeing no movement. (Bugzilla)	Bugzilla notes browser UI treats split tabs as one unit, but the extension API can move tabs individually, so swapping should work; Chrome could already swap split-view tabs. (Bugzilla)
150	Split View / tabs	tabs.move() can unsplit when split-view tabs are explicitly listed apart	tabs.move	Firefox 150 closes the split view when a move list places another tab between split-view tabs. (MDN Web Docs)	This lets extensions express tab order explicitly; Firefox unsplits to preserve the requested relative order. (Bugzilla)	Bugzilla says a dedicated unsplit API is still future work, but this tabs.move case already has clear expected behavior. (Bugzilla)
150	WebAuthn / passkeys	Extension documents can assert a WebAuthn RP ID for host-permitted domains	navigator.credentials.create(), navigator.credentials.get(), manifest host_permissions	Available in Firefox 150. (MDN Web Docs)	Enables extensions to create/retrieve credentials for a service domain they have host permission for, rather than being limited to the extension origin. Servers must allowlist the extension origin format. (MDN Web Docs)	Bugzilla issue came from a real extension use case: a company extension needed to use WebAuthn credentials tied to its website/mobile app domain, but Firefox rejected custom RP IDs. (Bugzilla)
150	WebAuthn / server validation	Stable Firefox WebAuthn extension origin format introduced	clientDataJSON.origin	Firefox uses moz-extension://<hash> for WebAuthn extension-origin validation. (MDN Web Docs)	Servers validating extension-created credentials must accept Chrome’s chrome-extension://<id> and Firefox’s deterministic moz-extension://<sha256-hash> form. (MDN Web Docs)	MDN notes this is stable across users, unlike Firefox’s normal random moz-extension://uuid document URLs. (MDN Web Docs)
150	Modules / CSS import	Fixed some JavaScript import calls failing to import CSS	JavaScript import / CSS modules in add-on context	Listed as resolved in Firefox 150 add-on developer notes. (MDN Web Docs)	Reduces failures when extension code imports CSS through JS module flows.	This appears in MDN release notes but not the Mozilla blog summary. (MDN Web Docs)
151	Split View / tab groups	tabs.group() and tabs.ungroup() correctly add/remove split view when one split-view tab is included	tabs.group, tabs.ungroup	Firefox 151 Beta release notes; work in progress page, ships May 19, 2026. (MDN Web Docs)	Previously, these calls could fail or separate the split view; extension tab-group operations should now preserve/adjust split-view state correctly. (MDN Web Docs)	This is part of continuing Split View integration after the initial 149 API exposure.
151	Split View / tab groups	tabs.move() correctly moves a split view to the right inside tab groups	tabs.move	Firefox 151 Beta release notes. (MDN Web Docs)	Fixes earlier behavior where moving a split view only worked leftward or to the end of the tab list. (MDN Web Docs)	Mozilla blog summarizes this as Firefox 151 enabling extensions to move split views in tab groups. (Mozilla Blog)
152 target	Local file access	File URL access becomes explicit opt-in	file://*/, <all_urls>, content scripts on file: URLs, extension.isAllowedFileSchemeAccess()	Targeted for Firefox 152 in Mozilla blog; Bugzilla still showed open when crawled, with backend/UI patches attached. (Mozilla Blog)	Having <all_urls> or file://*/ is no longer enough; users must enable “Allow access to file URLs.” This applies to existing extensions too. (Bugzilla)	Bugzilla says file access is currently limited to content scripts, and the patch gates it on an internal permission plus UI control. (Bugzilla)
Future / related	Split View creation/removal	Dedicated extension API to create or remove split views is still future work	Future Split View API	Not shipped in 149–152; Mozilla says “more improvements are coming.” (Mozilla Blog)	For now, extensions can observe and move/split-effect via existing tab operations, but not directly create/remove split views via a dedicated API.	Bugzilla tracks this separately as “Add extension API to create split views, or remove split views.” (Bugzilla)

[cyfung1031]

sandbox="allow-same-origin allow-scripts"

MV2 为 Firefox 专用吧
MV3 版等 Firefox 对齐 Chrome