Is it required to use activeTab and executeScript to inject local script?

[Ilda Kim]

Hello everyone! 

I am wondering if my way of script injection is appropriate. As of now, I am injecting one script at the start when the user opens www.example.com  using the <script> tag and I am appending it to the body. src of the script is part of the package. I am doing this from the content script. 

Then, when the user travels to www.example.com/<any page>, it checks the URL using location.href + specific event listener fired at page1 and communicates with the content script it was called from to change the DOM. I have a lot of event listeners for tracking changes in the URL and to communicate information from the content script (for chrome.storage API). It is required that I need to inject a script to manipulate custom javascript elements and custom events from the webpage. 

But it seems like a lot of developers are using activeTab and executeScript to do similar task, but I am unsure if activeTab and executeScript is required. During the review process, is my way of injecting scripts going to be problematic?

Thank you so much

[wOxxOm]

There's no such requirement, but activeTab may work for you if you navigate within the same scheme://host and you want the user to interact with your extension first e.g. click its icon. Anyway, there's a possibility you can simplify your current code regardless of activeTab because observing navigation in a tab is quite simple: chrome.webNavigation or chrome.tabs.onUpdated in an extension script or navigation.onnavigate event in the content script if the site is a single-page application that reuses the same page and only "spoofs" its URL.

[Ilda Kim]

My extension does indeed target single page application. Didnt even think chrome.webNavigation. Thank you always for your insight and contribution

[Ilda Kim]

Is there a reason why I see most developers choosing to use chrome APIs instead of the traditional javascript route? For example, why do developers choose to use the tabs / activeTab API instead of injecting the script programmatically? 

On Wednesday, August 23, 2023 at 11:16:50 PM UTC-7 wOxxOm wrote:

[wOxxOm]

If "traditional javascript route" means creating a <script> element in the web page, its problem is that it runs in an unsafe context ("MAIN" world) where your code/data may be hijacked via "poisoned" prototypes and globals. Sometimes we have to use it to access the data or functions added by JS of the page, but generally it should be avoided and never trusted.

It's unclear what you mean by "use tabs / activeTab API instead of injecting the script programmatically" because the former is actually what "programmatic injection" is, i.e. chrome.tabs.executeScript and chrome.scripting.executeScript. The advantage of this method is that it can be used on demand, after the user interacted with the extension explicitly, so no unwanted code runs "by default". A common mistake I've seen is to declare a content script on all sites and use it only after the user clicked the extension, which wastes CPU/memory to run this script in every page the user opens.