Loading an external script from within firefox extension

I am currently rewriting a firefox extension to be used only internally at my company. I started out by moving most of the logic into an external js file loaded via a script tag within the xul overlay. (We've found it hard to get our employees to consistently upgrade so I thought I could get around that). It worked fine like this:

<overlay id="my-overlay"
 xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
 xmlns:html="http://www.w3.org/1999/xhtml">
<script type="application/x-javascript" src="https://my.company.com/path/to/jquery.min.js/>
<script type="application/x-javascript" src="https://my.company.com/path/to/toolbar/main.js"/>

<toolbox id="navigator-toolbox"> 

    <!-- some stuff here -->

</toolbox>

But then I had the crazy idea of loading the script file dynamically so that I could use pre开发者_JAVA百科ferences to determine whether it would load from the production servers or alpha/beta servers. And that's when I failed miserably.

I've tried the following unsuccessfully:

• $.ajax({ dataType: 'script', ... }) // appears to do absolutely nothing
• $('overlay').appendChild('', { src: ... }) // script tag is added but not executed
• document.createElementNS, etc // script tag is is added but not executed
• Components.utils.import // does not accept http protocol
• mozIJSSubScriptLoader // does not accept http protocol

I haven't attempted Components.utils.evalInSandbox but given its restrictions, I'm afraid it would require significant other code changes that would not be worth the slight simplification of the development cycle.

From reading thru much more mozilla documentation and bugs it appears that basically what I'm attempting to do is breaking various security concerns (I understand in principle but of course in my case, I have full control of both ends).

The thing that bothers me is that it appears to work fine as long as I hard code the script tag but only fails once I try to dynamically generate it. Should I just toss in the towel or does someone know a way to make this work?

Have you tried the brute-force approach of reading in the file using XMLHttpRequest and then just calling eval() to run it? On the face of it this seems scary from a security perspective but, as you say, using a script tag with an HTTP source URL is basically the same thing.