Permissions not working for content scripts

228 views
Skip to first unread message

Bogdan

unread,
Sep 23, 2015, 8:57:50 AM9/23/15
to Chromium-extensions
Hi guys ,

Does anyone know if content scripts permissions were removed on the last chrome update (currently I have chrome version 45.0.2454.99) ?

It worked before but now it throws some csp errors in javascript ... 

Manifest.json permissions : 

"permissions": [
"<all_urls>",
"cookies",
"tabs",
"management",
"webRequest",
"webRequestBlocking",
"webNavigation",
"storage",
"notifications"
]

and content scripts

"content_scripts": [
{
"run_at": "document_start",
"matches": ["http://*/*", "https://*/*", "file:///*/*.pdf", "*://*/*.pdf*"],
"exclude_globs": [
"chrome-devtools://*"
],
"js": [
"js/jquery-2.1.1.min.js",
"js/jquery-ui.min.js",
"js/extension_handler.js"
]
}
]



Bogdan

unread,
Sep 23, 2015, 10:09:20 AM9/23/15
to Chromium-extensions
To make this clear the content scripts are injected . I have <all_urls> listed in manifest permission and that allowed me to access other iframes from the web page . Right now this is throwing some content security policy errors . It worked before . Maybe this is due to chrome browser and not the extensions. 

Daniel Loureiro

unread,
Sep 23, 2015, 12:46:01 PM9/23/15
to Chromium-extensions
We're seeing the same issue with our extension.
I hope that we get some sort of clarification soon about what's going on...

In the meantime, to anyone that's also having this issue, please share your experience here to see if we can get it solved.

Thanks

Antony Sargent

unread,
Sep 23, 2015, 2:19:19 PM9/23/15
to Daniel Loureiro, Chromium-extensions
Can someone post a specific example of a script and URL where they're seeing this problem?


--
You received this message because you are subscribed to the Google Groups "Chromium-extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To post to this group, send email to chromium-...@chromium.org.
Visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/41eaaa36-a4c8-4534-9d85-b98ca655d0b5%40chromium.org.

Wolf War

unread,
Sep 23, 2015, 3:38:51 PM9/23/15
to Chromium-extensions
Speaking from my own experience, I know that they changed behavior of Active tab permission around month and the half ago.
It is not possible to execute script (chrome.tabs.executeScript) with it in iframes  from different origin anymore. It was possible before.

I know it's not the same thing from OP, but it might be something in the same direction. Tightening security policy (...or implementing it as it was meant in first place).
Here is bug that I reported and explanation

You should probably wrote bug report and see if something is really changed with security policy.

Bogdan

unread,
Sep 24, 2015, 3:39:48 AM9/24/15
to Chromium-extensions, dan...@pepfeed.com
Hi Antony ,

Here it's a attach a dummy extension (a zip file and also a .crx) . Here is  also a screencast http://screencast.com/t/vgq2hl25
Maybe Wolf War is right and you may have tighten your security policy or implementing it as it was meant in first place. 

The sure thing is this was working 2 days ago. 
We used to parse all the iframes/frames from the web page to detect if a user selected some text.
To  test this just enter a website witch contains an iframe/frame with different origin (google.com - it will throw an error like in the screencast from the plus button of google).

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extensions+unsub...@chromium.org.

To post to this group, send email to chromium-...@chromium.org.
Visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/.
dummyextension.zip
dummyextension.crx

Devlin Cronin

unread,
Sep 24, 2015, 12:28:39 PM9/24/15
to Chromium-extensions, dan...@pepfeed.com
Hi All,

This is an intentional change, which prevents content scripts from accessing iframes of other origins.  We needed to do this for two reasons: 1) this fixes a security vulnerability to our users (the details aren't fully public yet), and 2) this behavior was incompatible with Site Isolation.  The accepted workaround for this is to inject scripts explicitly into each frame (either through tabs.executeScript or content scripts - both have "all frames" options).  I'm sorry for any inconvenience this is causing.

Cheers,
- Devlin

Bogdan

unread,
Sep 24, 2015, 1:25:55 PM9/24/15
to Chromium-extensions, dan...@pepfeed.com
Hi Devlin ,

Thanks for your response . I guess we will stick with chrome.tabs.executeScript (it will take some time but this can be done with executeScript).

I have one  question : is there a place where such changes are announced (in order to prevent some bad user experience for our users) ? The only link I check for changes is this https://developer.chrome.com/extensions/whats_new 

jagdish achara

unread,
Sep 24, 2015, 1:31:01 PM9/24/15
to Devlin Cronin, Chromium-extensions, dan...@pepfeed.com
Hello Devlin,

Can you please explain what would happen in the below scenario in case of these new changes in the content script permissions.

Here is a scenario: I send a message from my background page to a tab and there are multiple iframes in that tab. In my manifest, I specify "all_iframes": true; so all iFrames receive my message but I see that only one of them is able to respond me back. Is it normal? I think all of the iFrames(who have my content script code loaded) should be able to respond me back? Is it an issue you forgot to address in the new changes or is it a normal behavior that you expect in this way to work?

As per the docs https://developer.chrome.com/extensions/messaging#connect (please scroll up a bit) I see that in case of multiple pages, only the first to call sendResponse() for a particular event will succeed in sending the response. All other responses to that event will be ignored. But IMHO, this behavior should not in case of all iFrames in a particular page.


- Devlin
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.

To post to this group, send email to chromium-...@chromium.org.
Visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/.

--
You received this message because you are subscribed to the Google Groups "Chromium-extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.

To post to this group, send email to chromium-...@chromium.org.
Visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/dfdc2a16-2422-43fd-a4f4-2c1eb7ed0225%40chromium.org.

Devlin Cronin

unread,
Sep 24, 2015, 2:30:52 PM9/24/15
to jagdish achara, Chromium-extensions, dan...@pepfeed.com
Bogdan:
I have one  question : is there a place where such changes are announced (in order to prevent some bad user experience for our users) ? The only link I check for changes is this https://developer.chrome.com/extensions/whats_new
In this particular case, the change was actually pushed out very quickly, and didn't go through normal release channels, since it was in response to a security vulnerability.  Normally, these changes go through the normal flow of canary -> dev -> beta -> stable, taking around six weeks or more to reach stable, so you would have had more warning, if you test/use any of the earlier release channels.

In retrospect, we probably should have announced this change on this list once all users were updated, which wouldn't have given you much more notice (again, we can't announce *before* we make the change for security), but wouldn't have left you wondering.  I'll try to remember to do that in the future. :)

jagdish:
Here is a scenario: I send a message from my background page to a tab and there are multiple iframes in that tab. In my manifest, I specify "all_iframes": true; so all iFrames receive my message but I see that only one of them is able to respond me back. Is it normal? I think all of the iFrames(who have my content script code loaded) should be able to respond me back? Is it an issue you forgot to address in the new changes or is it a normal behavior that you expect in this way to work?
Messaging should work to/from all frames, as long as each content script registers itself as a listener on the event.  If you're still having problems, I'd suggest posting on Stack Overflow (there's a good community of folks that answer extensions questions), and if it still seems like it should work, file a bug at crbug.com/new.

Cheers,
- Devlin

Wolf War

unread,
Sep 24, 2015, 5:33:32 PM9/24/15
to jagdish achara, Devlin Cronin, Chromium-extensions, dan...@pepfeed.com
it's not a big thing, but sometimes those little one makes a mess
it should be:
"all_frames": true 
I just tested with all_iframes to see if is gonna throw an error, but it didn't

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/CAKnO5RsJ1VDVZ_bWrfHT--hjur3N92beC2HNf7n__PmkaOtQEQ%40mail.gmail.com.

jagdish achara

unread,
Sep 25, 2015, 1:51:54 AM9/25/15
to Wolf War, Devlin Cronin, Chromium-extensions, Daniel Loureiro
Actually, in my manifest.json, I had put "all_frames": true; I just messed it up in the email.

jagdish achara

unread,
Sep 25, 2015, 3:50:40 AM9/25/15
to Devlin Cronin, Chromium-extensions, Daniel Loureiro
@Devlin: It's the same content script being loaded in different iFrames on the same page.

Reply all
Reply to author
Forward
0 new messages