How can my Add-on SDK content script interact with a website page script?
There are a multitude of ways to interact with page scripts, the most common of which are covered in the official documentation, including all of the ways listed in the question.
Please read "Interacting with page scripts".
However, it should be pointed out that interacting with page scripts in a secure fashion can be hard. Be particularly aware that unsafeWindow
is called unsafe for a reason:
Be careful using unsafeWindow: you can't rely on any of its properties or functions being, or doing, what you expect. Any of them, even setters and getters, could have been redefined by a page script. Don't use it unless you trust the page, and even then be careful.
Also, unsafeWindow isn't a supported API, so it could be removed or changed in a future version of the SDK.
Reading data from or executing functions of unsafeWindow
is safe in the sense that it cannot directly lead to code execution in another (your content script) security context. The Javascript engine compartments will make sure of that.
But it is very true that you must never trust data coming from a website.
Always expect code to throw, Denial-of-service you with unexpected infinite loops or similar. And never ever explicitly or implicitly eval
uate code in the context of your content script.
Also, never think you can actually trust a website, even it it is your own website. Websites can be compromised (hacked), owners can change in the future, the data could be changed en route (active Man-In-The-Middle attacks), or another add-on could have modified it, etc.