[Affected versions]: - Firefox 58.0a1 (2017-10-24) - Firefox 57.0b11 (20171023180840) - Firefox 56.0.1 (20171002220106) [Affected platforms]: - Windows 7 64-bit - Mac OS X 10.13 [Prerequisites] - extensions.webextensions.remote set to true [Steps to reproduce]: 1.Install the following extensions: https://addons.mozilla.org/en-US/firefox/addon/gmail-mail-sidebar/?src=search https://addons.mozilla.org/en-US/firefox/addon/twitter-app/?src=ss 2.Click on the browserAction icon of the extension. 3.Observe the pop-up and the browser console. [Expected results]: - The pop-up content is loading correctly. [Actual results]: - The pop-up content is not loaded and an error is displayed in the browser console. - Sometimes you need to click multiple times on the browserAction to trigger the issue. Please see the attached video and logs.

The "ReferenceError: $ is not defined popup.js:44:5" error is because popup.js apparently expects jQuery to be available even though it doesn't load it. The popup fails because the extension apparently fails to remove the X-Frame-Options header (which is something the AMO review process should forbid...) in its background.js Shane, can you look into why that is failing?

Looked at the gmail addon. It happens 100% for me. In the webrequest listener, the headers are only modified if the documentUrl is the sidebar url. Fixing that makes the popup work fine. This is a bug in the extension.

Contacted the author of those add-ons through http://barisderin.com/?p=39

The twitter addon has a slightly different problem. Twitter creates a service worker that ends up redirecting the page and under that situation the documentUrl is not the page that contains the iframe, it's the service worker making the redirect. I was able to fix it thus: chrome.webRequest.onHeadersReceived.addListener(function(info) { var headers = info.responseHeaders; if(info.documentUrl.startsWith(chrome.extension.getURL("")) || (info.documentUrl.startsWith("https://mobile.twitter.com/") && info.parentFrameId == -1)) { for (var i = headers.length - 1; i >= 0; --i) { var header = headers[i].name.toLowerCase(); if (header == "frame-options" || header == "x-frame-options") { headers.splice(i, 1); } } return { responseHeaders: headers }; } }, {urls: ["https://mobile.twitter.com/*"]}, ["blocking", "responseHeaders"]); You don't need to use all_urls here (as well as the google one), that will just slow everything down.

(In reply to Shane Caraveo (:mixedpuppy) from comment #4) > if(info.documentUrl.startsWith(chrome.extension.getURL("")) || > (info.documentUrl.startsWith("https://mobile.twitter.com/") && > info.parentFrameId == -1)) { This is probably super unsafe. If the "https://mobile.twitter.com/" URL is meant to match the service worker, and remove the x-frame-options header from any framed requests that go through that service worker, it means that the header will be removed entirely, and the frame will be embeddable in any site.

Yeah, that's true, it will affect any framing of twitter. They've done a pretty good job on this. The only real solution I can think of is bug 1318532.

Thanks guys. What about blocking serviceworker.js url by background.js so it prevents Twitter to be cached? It is sure it will decrease the functionality of the Twitter but users want to quick check Twitter by the sidebar. Rather than an empty sidebar, decreased functionality is better for those kind of users.