firefox - Javascript does not run on local page -

i have simple webextension supposed open local page in new window when button clicked:

function openmypage() {     var popupurl = chrome.extension.geturl("my-page.html");      chrome.windows.create({       url: popupurl,       type: "popup",       height: 200,       width: 200     }); }  chrome.browseraction.onclicked.addlistener(openmypage); 

inside my-page.html want run javascript can't work. simple script not execute:

<html>    <body>      <script type="text/javascript">         document.write("js executed")      </script>    </body> </html> 

the url of opened page along lines of moz-extension://8974747a-3aa7-4654-93e5-ad60d3de0cc5/my-page.html. i've tried disabling addons such noscript, no avail.

how can execute js on page? doing wrong? help.

edit: manifest.json per request:

{    "description": "adds browser action icon toolbar open packaged web page. see https://developer.mozilla.org/en-us/add-ons/webextensions/examples#open-my-page-button",   "manifest_version": 2,   "name": "open-my-page",   "version": "1.0",   "homepage_url": "https://github.com/mdn/webextensions-examples/tree/master/open-my-page-button",   "icons": {     "48": "icons/page-48.png"   },    "applications": {     "gecko": {       "id": "open-my-page-button@mozilla.org",       "strict_min_version": "45.0"     }   },    "background": {     "scripts": ["background.js"]   },    "browser_action": {     "default_icon": "icons/page-32.png"   }  } 

it taken directly 1 of mozilla's examples.

inline scripts don't work default content security policy

you running default content security policy is:

"script-src 'self'; object-src 'self';" 

which means inline javascript won't run. in other words things following not permitted in html:

<script type="text/javascript"> document.write("js executed")</script> 

or

<script>console.log("foo");</script> 

or

<div onclick="console.log('click')">click me!</div> 

normal solution:
normal solution move javascript one, or more, separate files , include them like:

<script type="text/javascript" src="my-page.js"></script> 

using inline scripts:
if desire use inline scripts, can use content_security_policy key in manifest.json file. however, need supply "hash of script in "script-src" directive."

unless, reason, need use inline scripts, find much easier move of script content external file rather include scripts inline html (which require recompute hash change script).

implemented in firefox 48:
content security policy implemented in firefox 48. blog post regarding firefox 48 makes sure mention:

please note: backwards incompatible change firefox webextensions did not adhere csp. existing webextensions not adhere csp need updated.

your specific case:

it work if change script (whitespace counts when creating hash):

<script type="text/javascript">document.write("js executed");</script> 

and, add following line manifest.json:

"content_security_policy": "script-src 'self' 'sha256-z4nyjltj/rcifs77n2n91dzwoz1qg/1jfwu5odwwpc8='; object-src 'self';"