Table of Contents Previous entry (Q403) Next entry (Q405)

Q404: What @sandbox value should I use?

A404 @sandbox supports the following values: "raw", "JavaScript" and "DOM"

• "raw" access means that a script for compatibility reasons always needs to run in page context. At the moment this mode is the default if @sandbox is omitted.
• "JavaScript" access mode means that this script needs unsafeWindow access. At Firefox a special context is created which should also bypass all remaining CSP issues. Execution in page context is used as fallback at other browsers.
• "DOM" access mode means that the script only needs DOM and no direct unsafeWindow access. If enabled these scripts are executed inside the extension context or at any other enabled context otherwise.

There is also an option to configure the available sandbox modes which can be used by userscripts. Attention: any option that enables "DOM" mode is potentially unsecure. Userscripts that run in extension context have almost full extension permissions and can even modify and install new userscripts.