Unless I am misunderstanding the note on the Mozilla documentation page for appendChild, we will no longer be able to append a <script> element in the following manner:

    var script = document.createElement('script'); 
    script.type = 'text/javascript'; 
    script.src = 'test.js'; 
    document.getElementsByTagName('head')[0].appendChild(script);

Which really makes no sense to me as we can always revert to the document.write method of old. I would rather use the DOM methods personally.

One week later and no responses anywhere. I've posted in the mozilla forums and searched the mailing lists but have come up empty. Nobody else curious or concerned about this pending change? It could potentially break quite a few pages, those that rely on attaching scripts using the DOM appendChild method anyway.

I can see restricting the domain which is allowed to provide new JavaScript to the originating one, but a blanket restriction such as this seems Draconian in the extreme.

Oh dear...that breaks A LOT of existing code. It's a simple fix, but really, if it's on the same domain shouldn't it be trusted?

seems Draconian in the extreme

Well hello there stranger, great to hear from you. I agree, it is extreme. I have been searching for a mailing list or otherwise where this new "feature" has been discussed and am coming up empty. Do you have any idea where the developers may be discussing this change?

if it's on the same domain shouldn't it be trusted?

That's 3 of us that feel the same way. And I'm not seeing anything in the standard [w3.org] that reads otherwise.

You know, this seems an incomplete security solution, anyway. What about insert and replace methods?

from anything other than chrome: URLs.

This language is vague, hopefully they just mean a cross domain restriction, that seems to be the only security issue.

I believe the chrome: URL restriction, in essence, limits the practice to Firefox extensions.

[edited by: Rambo_Tribble at 6:38 am (utc) on Feb. 27, 2009]

That was my thoughts too.

What about insert and replace methods?

Good point. There is no mention on their respective pages about the limitation. This is extremely vague.

This seems hard to believe. Seems like a mistake. And a very big deal if it's not.
Has anyone tested this to see if the appendChild fails?

As of right now it appears to be a documentation update in regards to a couple of bug fixes. Neither bug affects

appendChild

behavior in terms of whether the script executes. All that is affected is whether the executing script gets

XPCNativeWrapper

automation and is relevant only to chrome documents. I believe we will see an update to the documentation soon.

Now updated. Whew, glad that's over :)