Is contentDocument really read-only? At least from extensions, I'm able to use it to arbitrarily modify the contentDocument.
Well, since Firefox 3.0 it is DEFINITELY read-only... apparently. I used to be able to do what you say. For instance, I needed to POST to a remote php script and get some HTML, then apply XPath on the responseText. I used to do contentDocument.write(responseText), then evalute() on that. Now I get an NS_ERROR_DOM_SECURITY_ERR. (buanzo [at-] buanzo.com.ar).
Possibly related: https://developer.mozilla.org/en/DOM/document.open#Notes