fix: trash enabled by default, restart button, dashboard sort, base64 XHR, Firefox support

SysAdminDoc · SysAdminDoc · commit bb7ba5a7f52e · 2026-03-13T12:52:08.000-04:00
- Default trashMode to 30 days so deleted scripts go to trash instead of permanent delete
- Add restart message handler so the settings restart button works
- Dashboard defaults to sorting by most recently updated
- Encode arraybuffer XHR responses as base64 for efficient message passing
- Add Firefox manifest and build script
- Add CWS cookies justification doc
diff --git a/CWS_COOKIES_JUSTIFICATION.md b/CWS_COOKIES_JUSTIFICATION.md
@@ -0,0 +1,49 @@
+# ScriptVault - Cookies Permission Justification (Chrome Web Store)
+
+## Permission: `cookies` (optional)
+
+### Single Purpose Description
+
+ScriptVault is a userscript manager that allows users to install and run custom JavaScript userscripts on web pages. The `cookies` permission is listed as an **optional permission** and is only activated when a user installs a userscript that explicitly declares `@grant GM_cookie` or `@grant GM.cookie` in its metadata.
+
+### Why the `cookies` permission is needed
+
+ScriptVault implements the `GM_cookie` API, which is part of the standard Greasemonkey/Tampermonkey userscript API specification. This API provides three functions:
+
+- **`GM_cookie.list()`** — Reads cookies for a specific domain (calls `chrome.cookies.getAll()`)
+- **`GM_cookie.set()`** — Sets a cookie on a specific domain (calls `chrome.cookies.set()`)
+- **`GM_cookie.delete()`** — Removes a cookie from a specific domain (calls `chrome.cookies.remove()`)
+
+These functions are required for compatibility with existing userscripts that depend on cookie access for legitimate purposes such as:
+
+- Managing login sessions across subdomains
+- Clearing tracking cookies from specific sites
+- Reading site preferences stored in cookies
+- Automating cookie consent workflows
+
+### How it is used
+
+1. The `cookies` permission is declared as an **optional permission** in `manifest.json` — it is never granted at install time.
+2. When a user installs a userscript containing `@grant GM_cookie`, ScriptVault requests the permission via `chrome.permissions.request()` with an explicit user prompt.
+3. Cookie operations are gated by a per-script `@grant` check — scripts without the `GM_cookie` grant cannot access cookie functions even if the permission has been granted.
+4. An additional user-facing setting ("Allow scripts to access cookies") in the dashboard provides a global toggle for cookie access.
+5. The extension does not read, modify, or transmit cookies for its own purposes. All cookie operations are initiated exclusively by user-installed userscripts.
+
+### User control
+
+- Users choose which userscripts to install and can review `@grant` declarations before installation.
+- The optional permission prompt gives users an explicit opt-in at the browser level.
+- The dashboard settings panel provides a global cookie access toggle.
+- Users can revoke the optional permission at any time via Chrome's extension settings.
+
+### Privacy
+
+ScriptVault does not collect, store, or transmit any cookie data. Cookie operations occur entirely on the user's device between the userscript and the browser's cookie store. No cookie data is sent to any remote server by the extension itself. See our [Privacy Policy](https://github.com/SysAdminDoc/ScriptVault/blob/main/PRIVACY.md) for full details.
+
+---
+
+## CWS Submission Form — Suggested Text
+
+**"Why does your extension need the `cookies` permission?"**
+
+> ScriptVault is a userscript manager. The `cookies` permission is declared as optional and is only requested when a user installs a userscript that uses the standard GM_cookie API (`@grant GM_cookie`). This API allows userscripts to list, set, and delete cookies for specific domains — a standard feature of userscript managers (Tampermonkey, Violentmonkey). The permission is never used by the extension itself; it is exclusively used to fulfill userscript API calls initiated by user-installed scripts. Users must explicitly opt in via Chrome's permission prompt, and a dashboard toggle provides additional control. No cookie data is collected or transmitted by the extension.
diff --git a/background.core.js b/background.core.js
@@ -762,7 +762,7 @@ async function handleMessage(message, sender) {
         const scriptId = data.id || data.scriptId;
         if (!scriptId) return { error: 'No script ID provided' };
         const settings = await SettingsManager.get();
-        const trashMode = settings.trashMode || 'disabled';
+        const trashMode = settings.trashMode || '30';
 
         if (trashMode !== 'disabled') {
           // Move to trash instead of permanent delete
@@ -786,7 +786,7 @@ async function handleMessage(message, sender) {
         const trash = trashData.trash || [];
         // Clean expired entries
         const settings = await SettingsManager.get();
-        const trashMode = settings.trashMode || 'disabled';
+        const trashMode = settings.trashMode || '30';
         const maxAge = trashMode === '1' ? 86400000 : trashMode === '7' ? 604800000 : trashMode === '30' ? 2592000000 : 0;
         const now = Date.now();
         const valid = maxAge > 0 ? trash.filter(s => now - s.trashedAt < maxAge) : trash;
@@ -818,6 +818,11 @@ async function handleMessage(message, sender) {
         return { success: true };
       }
 
+      case 'restart': {
+        chrome.runtime.reload();
+        return { success: true };
+      }
+
       case 'permanentlyDelete': {
         const scriptId = data.scriptId;
         const trashData = await chrome.storage.local.get('trash');
@@ -1368,7 +1373,14 @@ async function handleMessage(message, sender) {
               
               if (data.responseType === 'arraybuffer') {
                 const buffer = await response.arrayBuffer();
-                responseData = Array.from(new Uint8Array(buffer));
+                // Encode as base64 for efficient transfer (33% overhead vs 800%+ for number arrays)
+                const bytes = new Uint8Array(buffer);
+                let binary = '';
+                // Process in 32KB chunks to avoid call stack overflow
+                for (let offset = 0; offset < bytes.length; offset += 32768) {
+                  binary += String.fromCharCode.apply(null, bytes.subarray(offset, offset + 32768));
+                }
+                responseData = { __sv_base64__: true, data: btoa(binary) };
                 sendEvent('progress', {
                   readyState: 3,
                   lengthComputable: contentLength > 0,
@@ -3090,13 +3102,35 @@ ${req.code}
       const eventType = msg.eventType;
       const eventData = msg.data || {};
       
+      // Decode binary responses transferred as base64/dataURL
+      let responseValue = eventData.response;
+      if (responseValue && typeof responseValue === 'object' && responseValue.__sv_base64__) {
+        // arraybuffer: base64 -> ArrayBuffer
+        const binary = atob(responseValue.data);
+        const bytes = new Uint8Array(binary.length);
+        for (let i = 0; i < binary.length; i++) bytes[i] = binary.charCodeAt(i);
+        responseValue = bytes.buffer;
+      } else if (details.responseType === 'blob' && typeof responseValue === 'string' && responseValue.startsWith('data:')) {
+        // blob: data URL -> Blob
+        try {
+          const [header, b64] = responseValue.split(',');
+          const mime = header.match(/:(.*?);/)?.[1] || 'application/octet-stream';
+          const binary = atob(b64);
+          const bytes = new Uint8Array(binary.length);
+          for (let i = 0; i < binary.length; i++) bytes[i] = binary.charCodeAt(i);
+          responseValue = new Blob([bytes], { type: mime });
+        } catch (e) {
+          // Fall through with data URL string if conversion fails
+        }
+      }
+
       // Build response object matching GM_xmlhttpRequest spec
       const response = {
         readyState: eventData.readyState || 0,
         status: eventData.status || 0,
         statusText: eventData.statusText || '',
         responseHeaders: eventData.responseHeaders || '',
-        response: eventData.response,
+        response: responseValue,
         responseText: eventData.responseText || '',
         responseXML: eventData.responseXML,
         finalUrl: eventData.finalUrl || details.url,
diff --git a/background.js b/background.js
@@ -5291,7 +5291,7 @@ async function handleMessage(message, sender) {
         const scriptId = data.id || data.scriptId;
         if (!scriptId) return { error: 'No script ID provided' };
         const settings = await SettingsManager.get();
-        const trashMode = settings.trashMode || 'disabled';
+        const trashMode = settings.trashMode || '30';
 
         if (trashMode !== 'disabled') {
           // Move to trash instead of permanent delete
@@ -5315,7 +5315,7 @@ async function handleMessage(message, sender) {
         const trash = trashData.trash || [];
         // Clean expired entries
         const settings = await SettingsManager.get();
-        const trashMode = settings.trashMode || 'disabled';
+        const trashMode = settings.trashMode || '30';
         const maxAge = trashMode === '1' ? 86400000 : trashMode === '7' ? 604800000 : trashMode === '30' ? 2592000000 : 0;
         const now = Date.now();
         const valid = maxAge > 0 ? trash.filter(s => now - s.trashedAt < maxAge) : trash;
@@ -5347,6 +5347,11 @@ async function handleMessage(message, sender) {
         return { success: true };
       }
 
+      case 'restart': {
+        chrome.runtime.reload();
+        return { success: true };
+      }
+
       case 'permanentlyDelete': {
         const scriptId = data.scriptId;
         const trashData = await chrome.storage.local.get('trash');
@@ -5897,7 +5902,14 @@ async function handleMessage(message, sender) {
               
               if (data.responseType === 'arraybuffer') {
                 const buffer = await response.arrayBuffer();
-                responseData = Array.from(new Uint8Array(buffer));
+                // Encode as base64 for efficient transfer (33% overhead vs 800%+ for number arrays)
+                const bytes = new Uint8Array(buffer);
+                let binary = '';
+                // Process in 32KB chunks to avoid call stack overflow
+                for (let offset = 0; offset < bytes.length; offset += 32768) {
+                  binary += String.fromCharCode.apply(null, bytes.subarray(offset, offset + 32768));
+                }
+                responseData = { __sv_base64__: true, data: btoa(binary) };
                 sendEvent('progress', {
                   readyState: 3,
                   lengthComputable: contentLength > 0,
@@ -7619,13 +7631,35 @@ ${req.code}
       const eventType = msg.eventType;
       const eventData = msg.data || {};
       
+      // Decode binary responses transferred as base64/dataURL
+      let responseValue = eventData.response;
+      if (responseValue && typeof responseValue === 'object' && responseValue.__sv_base64__) {
+        // arraybuffer: base64 -> ArrayBuffer
+        const binary = atob(responseValue.data);
+        const bytes = new Uint8Array(binary.length);
+        for (let i = 0; i < binary.length; i++) bytes[i] = binary.charCodeAt(i);
+        responseValue = bytes.buffer;
+      } else if (details.responseType === 'blob' && typeof responseValue === 'string' && responseValue.startsWith('data:')) {
+        // blob: data URL -> Blob
+        try {
+          const [header, b64] = responseValue.split(',');
+          const mime = header.match(/:(.*?);/)?.[1] || 'application/octet-stream';
+          const binary = atob(b64);
+          const bytes = new Uint8Array(binary.length);
+          for (let i = 0; i < binary.length; i++) bytes[i] = binary.charCodeAt(i);
+          responseValue = new Blob([bytes], { type: mime });
+        } catch (e) {
+          // Fall through with data URL string if conversion fails
+        }
+      }
+
       // Build response object matching GM_xmlhttpRequest spec
       const response = {
         readyState: eventData.readyState || 0,
         status: eventData.status || 0,
         statusText: eventData.statusText || '',
         responseHeaders: eventData.responseHeaders || '',
-        response: eventData.response,
+        response: responseValue,
         responseText: eventData.responseText || '',
         responseXML: eventData.responseXML,
         finalUrl: eventData.finalUrl || details.url,
diff --git a/build-firefox.sh b/build-firefox.sh
@@ -0,0 +1,73 @@
+#!/bin/bash
+# ScriptVault - Firefox Add-on Build Script
+# Packages the extension into an .xpi/.zip ready for AMO upload or sideloading
+
+set -e
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+BUILD_DIR="$SCRIPT_DIR/build-firefox"
+VERSION=$(grep -o '"version": "[^"]*"' "$SCRIPT_DIR/manifest-firefox.json" | cut -d'"' -f4)
+ZIP_NAME="ScriptVault-firefox-v${VERSION}.zip"
+
+echo "Building ScriptVault for Firefox v$VERSION..."
+
+# Build background.js first if source modules exist
+if [ -f "$SCRIPT_DIR/build-background.sh" ]; then
+  echo "Building background.js from source modules..."
+  bash "$SCRIPT_DIR/build-background.sh"
+fi
+
+# Clean previous build
+rm -rf "$BUILD_DIR"
+mkdir -p "$BUILD_DIR"
+
+# Files/folders to include
+INCLUDE=(
+  background.js
+  content.js
+  shared
+  pages
+  images/icon16.png
+  images/icon32.png
+  images/icon48.png
+  images/icon128.png
+  lib
+  _locales
+)
+
+# Copy Firefox manifest as manifest.json
+cp "$SCRIPT_DIR/manifest-firefox.json" "$BUILD_DIR/manifest.json"
+
+# Copy included files
+for item in "${INCLUDE[@]}"; do
+  src="$SCRIPT_DIR/$item"
+  dest="$BUILD_DIR/$item"
+  if [ -d "$src" ]; then
+    mkdir -p "$dest"
+    cp -r "$src"/* "$dest"/
+  elif [ -f "$src" ]; then
+    mkdir -p "$(dirname "$dest")"
+    cp "$src" "$dest"
+  else
+    echo "Warning: $item not found, skipping"
+  fi
+done
+
+# Build the zip/xpi
+cd "$BUILD_DIR"
+rm -f "$SCRIPT_DIR/$ZIP_NAME"
+
+if command -v zip &> /dev/null; then
+  zip -r "$SCRIPT_DIR/$ZIP_NAME" . -x "*.DS_Store" "*Thumbs.db"
+else
+  powershell.exe -NoProfile -Command "Compress-Archive -Path '$BUILD_DIR\*' -DestinationPath '$SCRIPT_DIR\\$ZIP_NAME' -Force"
+fi
+
+echo ""
+echo "Build complete: $ZIP_NAME"
+echo "Size: $(du -h "$SCRIPT_DIR/$ZIP_NAME" | cut -f1)"
+echo ""
+echo "Ready for Firefox Add-ons (AMO) upload or sideloading."
+
+# Cleanup
+rm -rf "$BUILD_DIR"
diff --git a/manifest-firefox.json b/manifest-firefox.json
@@ -0,0 +1,68 @@
+{
+  "manifest_version": 3,
+  "name": "__MSG_extName__",
+  "version": "1.5.2",
+  "description": "__MSG_extDescription__",
+  "default_locale": "en",
+  "homepage_url": "https://github.com/SysAdminDoc/ScriptVault",
+  "browser_specific_settings": {
+    "gecko": {
+      "id": "ScriptVault@sysadmindoc.dev",
+      "strict_min_version": "128.0"
+    }
+  },
+  "icons": {
+    "16": "images/icon16.png",
+    "32": "images/icon32.png",
+    "48": "images/icon48.png",
+    "128": "images/icon128.png"
+  },
+  "permissions": [
+    "storage",
+    "tabs",
+    "notifications",
+    "menus",
+    "scripting",
+    "userScripts",
+    "webNavigation",
+    "unlimitedStorage",
+    "alarms",
+    "downloads"
+  ],
+  "optional_permissions": [
+    "clipboardWrite",
+    "clipboardRead",
+    "identity",
+    "cookies"
+  ],
+  "host_permissions": [
+    "<all_urls>"
+  ],
+  "background": {
+    "scripts": ["background.js"],
+    "type": "module"
+  },
+  "action": {
+    "default_icon": {
+      "16": "images/icon16.png",
+      "32": "images/icon32.png"
+    },
+    "default_title": "__MSG_extName__",
+    "default_popup": "pages/popup.html"
+  },
+  "options_ui": {
+    "page": "pages/dashboard.html",
+    "open_in_tab": true
+  },
+  "content_scripts": [{
+    "matches": ["<all_urls>"],
+    "js": ["content.js"],
+    "run_at": "document_start",
+    "all_frames": true
+  }],
+  "web_accessible_resources": [{
+    "resources": ["pages/install.html"],
+    "matches": ["<all_urls>"]
+  }],
+  "commands": {}
+}
diff --git a/pages/dashboard.js b/pages/dashboard.js
@@ -10,8 +10,8 @@
         editor: null,
         unsavedChanges: false,
         selectedScripts: new Set(),
-        sortColumn: 'order',
-        sortDirection: 'asc',
+        sortColumn: 'updated',
+        sortDirection: 'desc',
         openTabs: {}  // { scriptId: { code, unsaved } }
     };
 
@@ -338,6 +338,7 @@
         await loadScripts();
         initEditor();
         initEventListeners();
+        updateSortIndicators();
         applyTheme();
         updateStats();
         toggleSyncProviderSettings();
@@ -456,7 +457,7 @@
         if (elements.settingsDebugMode) elements.settingsDebugMode.checked = s.debugMode || false;
         if (elements.settingsShowFixedSource) elements.settingsShowFixedSource.checked = s.showFixedSource || false;
         if (elements.settingsLoggingLevel) elements.settingsLoggingLevel.value = s.loggingLevel || 'error';
-        if (elements.settingsTrashMode) elements.settingsTrashMode.value = s.trashMode || 'disabled';
+        if (elements.settingsTrashMode) elements.settingsTrashMode.value = s.trashMode || '30';
         
         // Appearance settings
         if (elements.settingsLayout) elements.settingsLayout.value = s.layout || 'dark';
