I have a Greasemonkey userscript which runs most of its code in an unprivileged context by inserting a <script> tag like so:

function code {
  ...
}

var script = document.createElement("script");
script.type = "application/javascript";
script.innerHTML = "(" + code + ")();";
document.body.appendChild(script);

This avoids the need to do dangerous things with unsafeWindow.

However, I my code needs to get information from an API on another domain which doesn’t support JSONP. GM_xmlhttpRequest can access other domains, but is only available in the privileged Greasemonkey context.

I’d like to write a function which provides a limited interface and makes exactly the API call I need using GM_xmlhttpRequest, and then expose that (theoretically safe) function to the normal page context. My first attempt at that was something like:

unsafeWindow.foo = function() {
  console.log("Foo!");
  console.log(GM_xmlhttpRequest.toString());
  GM_xmlhttpRequest({
    method: "GET",
    url: "http://www.example.net/",
    headers: {
      "User-Agent": navigator.userAgent,
      "Accept": "text/html"
    },
    onload: function(response) {
      console.log(response);
      unsafeWindow.console.log(response);
      alert(response);
      unsafeWindow.alert(response);
    }
  });
  console.log("Bar!");
};

Interestingly, when I call foo() from the page context, I see “Foo!”, the stringified GM_xmlhttpRequest and “Bar!” in the console log. However, I never get the response in the console or in an alert. If I make the GM_xmlhttpRequest on its own in the GM context, I get both alerts and log messages.

The question is: is what I’m trying to do even possible? Or is there another way to accomplish the same thing?