HTML page on web_accessible_resources and content_scripts

[s.panja]

Hi all,

My extension has an HTML page defined as web_accessible_resources and I want to be able to run a content script (of the same extension and/or of a different extension) on such a page. Is that technically even possible? I have been trying to achieve that but no success yet. I couldn't find any chrome documents mentioning about this topic. 

If this is by design that it is not possible to run any content scripts on a web_accessible_resources page, it would make such a page super secure because it's basically not possible to inject any scripts to a web_accessible_resources page... do I get it right? Please suggest.

Thanks,

s.panja

[Is Manu]

Hi,

"web_accessible_resources " are medias in your extension.

You can display them on a html page like that

manifest :

 "web_accessible_resources":[

      "res/img/myIMG.gif",

      "res/img/MyOtherIMG.gif"

   ],

 

in a script of yours "content_scripts" :  

//using jquery :

var img = $('<IMG>');

img.attr('src', chrome.extension.getURL('res/img/myIMG.gif')) ; //take care to write the same path declared in the manifest

img.addClass('atf_tests');

img.appendTo('body');

that all.

You can inject in a web page all "you have in your mind" (img, css, js, html, ...).

But keep in mind : you have a sandbox between the web page (and so, the original javascript code) and your extension.

The original page cannot communicate with your extension (directly).

[PhistucK]

Do content scripts work on HTML pages in your extension that were not added to web_accessible_resources? If so, then I reckon they should work the same whether they are there or not.

I think you cannot inject content scripts to extension pages in general, though, so I expect web_accessible_resources not to matter.

If my understanding is correct, then if you want to apply a script from your extension, just add <script src=...></script> yourself to the HTML.

☆PhistucK

--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/cb11a576-9eb7-4a1b-9467-13a2a48fad7a%40chromium.org.

[s.panja]

Thank you PhistucK for your reply. 

According to this document (https://developer.chrome.com/extensions/manifest/web_accessible_resources), I understood that I must list an HTML page as web accessible resource so that a web origin can navigate to it. I do not know an option to not list my HTML page to web_accessible_resources and still be able to navigate to it. Therefore, I do not know an answer to your question. Or maybe I didn't understand your question. please let me know.

And indeed, as you suggested, I could explicitly hardcode <script src=...></script> loading in such a page. I also notice that such a web_accessible_resources HTML page is running in a similar context to that of the background script because it has access to the WebExtension APIs that are usually available for a background script / not a content script e.g. chrome.tabs or chrome.extension.getBackgroundPage().

I have a similar feeling to you regarding that no scripts can be injected into extension pages (including an HTML page listed in web_accessible_resources). If that is the case, then that means I can use this page for a secure interaction with the user. That's why I want to double check my thought with the community if this is a way to go.. because I couldn't get any confirmation from neither chrome documentation nor MDN's.

On Tuesday, January 21, 2020 at 11:26:01 AM UTC+1, PhistucK wrote:

Do content scripts work on HTML pages in your extension that were not added to web_accessible_resources? If so, then I reckon they should work the same whether they are there or not.

I think you cannot inject content scripts to extension pages in general, though, so I expect web_accessible_resources not to matter.

If my understanding is correct, then if you want to apply a script from your extension, just add <script src=...></script> yourself to the HTML.

☆PhistucK

On Tue, Jan 21, 2020 at 10:53 AM s.panja <s.p...@gmail.com> wrote:

Hi all,

My extension has an HTML page defined as web_accessible_resources and I want to be able to run a content script (of the same extension and/or of a different extension) on such a page. Is that technically even possible? I have been trying to achieve that but no success yet. I couldn't find any chrome documents mentioning about this topic. 

If this is by design that it is not possible to run any content scripts on a web_accessible_resources page, it would make such a page super secure because it's basically not possible to inject any scripts to a web_accessible_resources page... do I get it right? Please suggest.

Thanks,

s.panja

--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extensions+unsub...@chromium.org.

[s.panja]

Thank you Is Manu for your reply.

My apology..maybe I didn't post my question clearly. I didn't want my content script to use a web_accessible_resource and to inject it into a web page. I want to know is that when I navigate to an HTML (listed as a web accessible resource of my extension),

- Can I still inject a content script of the same extension to such an HTML page? I understood that I can inject a content script into a page by two manners: declaratively (install time / run time) and programmatically. I think there will be no luck on the declarative approach because the match patterns do not support <scheme> like 'chrome-extension'. What do you think? If that is the case, then maybe I've got to try the programmatic approach (I have just found out now that this approach exists :| )

- Can content scripts of other extensions get injected into such an HTML page? Is this by design for security purpose?

[Kent Brewster]

I think you will have a hard time running a different extension's content script. (If I were a reviewer I woulld instantly reject this.)

From your own extension is easier as long as you don't try to execute inline JavaScript, which will require a custom content security policy. Here's how we do it:

/manifest.json

"web_accessible_resources": [
"/html/thePage.html"
]

/html/thePage.html:

<!DOCTYPE html>
<html>
<head>
<title></title>
<meta charset="utf-8" />
</head>
<body>
<script src="../scripts/theScript.js"></script>
</body>
</html>

/scripts/theScript.html:

alert("ding!");

Hope this helps,

--Kent

> --
> You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.

> To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.

[PhistucK]

You can navigate to chrome-extension://extension-id/your-html-file.html using the address bar, even if you do not list it in web_accessible_resources.

You can get the extension ID from chrome://extensions

☆PhistucK

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/cb11a576-9eb7-4a1b-9467-13a2a48fad7a%40chromium.org.

--

You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/b51e72b9-fd4b-4976-98ea-2cc959c22777%40chromium.org.

[s.panja]

Thank you Kent Brewster for your reply. Our team over here agrees with your remark 'If I were a reviewer I would instantly reject this'. Because of your remark, I have marked this post as complete. 

> To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extensions+unsub...@chromium.org.