This is an archived page. It's not actively maintained.



Support for extensions using XUL/XPCOM or the Add-on SDK was removed in Firefox 57, released November 2017. As there is no supported version of Firefox enabling these technologies, this page will be removed by December 2020.

Add-ons using the techniques described in this document are considered a legacy technology in Firefox. Don't use these techniques to develop new add-ons. Use WebExtensions instead. If you maintain an add-on which uses the techniques described here, consider migrating it to use WebExtensions.

Starting from Firefox 53, no new legacy add-ons will be accepted on (AMO) for desktop Firefox and Firefox for Android.

Starting from Firefox 57, only extensions developed using WebExtensions APIs will be supported on Desktop Firefox and Firefox for Android.

Even before Firefox 57, changes coming up in the Firefox platform will break many legacy extensions. These changes include multiprocess Firefox (e10s), sandboxing, and multiple content processes. Legacy extensions that are affected by these changes should migrate to use WebExtensions APIs if they can. See the "Compatibility Milestones" document for more information.

A wiki page containing resources, migration paths, office hours, and more, is available to help developers transition to the new technologies.



Create JavaScript sandboxes and execute scripts in them.


Create a sandbox

To create a sandbox:

const { sandbox, evaluate, load } = require("sdk/loader/sandbox");
let scope = sandbox('');

The argument passed to the sandbox defines its privileges. The argument may be:

  • a URL string, in which case the sandbox will get the same privileges as a script loaded from that URL
  • a DOM window object, to inherit privileges from the window being passed.
  • omitted or null: then the sandbox will have chrome privileges giving it access to all the XPCOM components.

Optionally the sandbox function can be passed a second argument (See sandbox documentation on MDN for details).

Evaluate code

Module provides evaluate function that lets you execute code in the given sandbox:

evaluate(scope, 'var a = 5;');
evaluate(scope, 'a + 2;'); //=> 7

More details about evaluated script may be passed via optional arguments that may improve exception reporting:

// Evaluate code as if it was loaded from '' and
// start from 2nd line.
evaluate(scope, 'a ++', '', 2);

Version of JavaScript can be also specified via an optional argument:

evaluate(scope, 'let b = 2;', 'bar.js', 1, '1.5');
// throws cause `let` is not defined in JS 1.5.

Load scripts

This module provides a limited API for loading scripts from local URLs. data: URLs are supported.

load(scope, 'resource://path/to/my/script.js');
load(scope, 'file:///path/to/script.js');
load(scope, 'data:,var a = 5;');




Make a new sandbox that inherits principals from source.


source : string|window|null
An object that determines the privileges that will be given to the sandbox. This argument can be:

  • a URI string, giving the sandbox the same privileges as a script loaded from that URL
  • a DOM window object, giving the sandbox the same privileges as the DOM window
  • null, to give the sandbox chrome privileges.

sandbox : A sandbox in which you can evaluate and load JavaScript.

evaluate(sandbox, code, uri, line, version)

Evaluate code in sandbox, and return the result.


sandbox : sandbox
The sandbox to use.

code : string
The code to execute.

uri : string
Evaluate the code as if it were being loaded from the given URI. Optional.

line : number
Evaluate the code starting at this line. Optional, defaults to 1.

version : string
Evaluate the code using this version of JavaScript. Defaults to 1.8.


result : Returns whatever the evaluated code returns.

load(sandbox, uri)

Evaluate code from uri in sandbox.


sandbox : sandbox
The sandbox to use.

uri : string
The URL pointing to the script to load. It must be a local chrome:, resource:, file: or data: URL.


result : Returns whatever the evaluated code returns.