Use page XHR for Firefox WE, and list host permissions explicitly.

src/meta/jshint.json

@@ -20,6 +20,7 @@
     "BroadcastChannel": false,
     "GM_info":      false,
     "cloneInto":    false,
+    "XPCNativeWrapper": false,
     "unsafeWindow": false,
     "chrome":       false,
     "GM":           false<%=

src/meta/manifest.json

@@ -23,9 +23,7 @@
 <% if (channel !== '-noupdate') { %>  "update_url": "<%= meta.downloads %>updates<%= channel %>.xml",
   "key": "<%= meta.appid %>",
 <% } %>  "minimum_chrome_version": "<%= meta.min.chrome %>",
-  "permissions": [
-    "storage"
-  ],
+  "permissions": <%= JSON.stringify(meta.matches_only.concat(["storage"])) %>,
   "optional_permissions": [
     "*://*/"
   ],

src/platform/$.coffee

@@ -45,6 +45,10 @@ $.ajax = do ->
   # With the `If-Modified-Since` header we only receive the HTTP headers and no body for 304 responses.
   # This saves a lot of bandwidth and CPU time for both the users and the servers.
   lastModified = {}
+  <% if (type === 'crx') { %>
+  if XPCNativeWrapper?
+    pageXHR = XPCNativeWrapper window.wrappedJSObject.XMLHttpRequest
+  <% } %>
 
   (url, options={}, extra={}) ->
     {type, whenModified, upCallbacks, form} = extra
@@ -53,7 +57,11 @@ $.ajax = do ->
     url = url.replace /^((?:https?:)?\/\/(?:\w+\.)?4c(?:ha|d)n\.org)\/adv\//, '$1//adv/'
     # XXX https://bugs.chromium.org/p/chromium/issues/detail?id=643659
     url += "?s=#{whenModified}" if $.engine is 'blink' and whenModified
-    r = new XMLHttpRequest()
+    xhr = XMLHttpRequest
+    <% if (type === 'crx') { %>
+    xhr = pageXHR or xhr
+    <% } %>
+    r = new xhr()
     type or= form and 'post' or 'get'
     try
       r.open type, url, true