I need to have sandboxes totally secured, others more "relaxed".
I tried this in the manifest.json (doesn't work, but describes accurately what I need to do):
...,
"sandbox": [
{
"pages":[
"sandbox1.html"
],
"content_security_policy": "<strict csp...>"
},
{
"pages":[
"sandbox2.html"
],
"content_security_policy": "<relaxed csp...>"
}
]
Unfortunately, I cannot find a way to have more than one content security policy for sandboxed pages.
The documentation shows how to implement the same CSP for multiple sandbox pages, but not how each sandbox could have its own CSP.
Is there any way to achieve this ?
Seems like it's not possible; "sandbox" is an object and can only have one "content_security_policy" key.
Sounds like an idea for a feature request.
Related
I'm trying to load an extension, which was originally developed for Chrome, into Firefox. I'm aware that there are subtle differences, my idea was to fix the errors one by one.
The manifest can actually be loaded, an icon is added and the extension is listed as installed.
But during the loading, there are two warnings. One of them is:
Reading manifest: Error processing content_scripts.0.permissions: An unexpected property was found in the WebExtension manifest.
Unfortunately, this doesn't tell me which property is unexpected. I opened the debug consoles, the message is identical, there is no additional information.
The content_scripts section from the manifest is this:
"content_scripts": [
{
"css": [
"extra.css",
"all.css",
"bootstrap.min.css"
],
"js": [
"firebase.js",
"jquery.min.js",
"content.js",
"popper.min.js",
"bootstrap.min.js"
],
"matches": [
"https://dlab.epfl.ch/*",
"https://*.wikipedia.org/*"
],
"permissions": [
"storage",
"activeTab"
]
}],
The permissions look good to me. I checked against the Mozilla docs here, to avoid something like a spelling mistake. But storage and activeTab are allowed as permissions.
How can I find out what this unexpected property is ?
For reference, here is the full manifest: https://pastebin.com/dkaNmZHk
As #wOxxOm said, it is a simple mistake in the JSON layout:
permissions should be top-level and not within content_scripts.
I attempted to create a custom element in a Chrome extension content script but customElements.define is null.
customElements.define('customElement', class extends HTMLElement {
constructor() {
super();
}
...
});
So apparently Chrome doesn't want content scripts to create custom elements. But why? Is it a security risk?
I can't seem to find anything in Chrome's extension guide that says it's not allowed.
I found the solution reading this page but the information was so cumbersome I wanted to write this answer for future readers (I am using Manifest v3)
Firstly, install the polyfill :
npm install #webcomponents/webcomponentsjs -D
Then add the polyfill in your content_scripts block in your manifest file :
"content_scripts": [{
"matches": [ "..." ],
"js": [
"./node_modules/#webcomponents/webcomponentsjs/webcomponents-bundle.js",
"content.js"
]
}]
(important: you have to load it before your content script of course as the polyfill needs to load before you can use it)
Now it should works. Cheers
Note: the customElements feature is implemented in most modern browsers but for some reasons the interface is not available from a content script because the scripts are run in an isolated environment (not sharing the same window object space from the webpage the extension runs in).
As of now custom element can be used in chrome extensions UI. In Popup ui, option page ui and in the content script as well But it requires a polyfill which is this.
https://github.com/GoogleChromeLabs/ProjectVisBug - this is the one big custom element in the chrome extension.
Is there any way to bind a content script to Chrome's start page?
I tried setting matches to "*", but it doesn't even run. With "*://*/*" it does not bind.
No, you cannot*. Technically, the start page is chrome://newtab/, and Chrome Extensions cannot access chrome:// pages for security reasons, not even with the widest "<all_urls>" permission.
Your only hope is to make your own New Tab page, though it would be hard to replicate all of the default functionality (e.g. thumbnails of top sites).
* One can enable this with Chrome Flags: chrome://flags/#extensions-on-chrome-urls But this is only applicable if the extension is for personal use and is a potential security risk.
Yes! Chrome's Start page (¿now?) has the hidden URL of the form:
https://www.google.com/_/chrome/newtab?espv=2&ie=UTF-8
And extensions with manifest.jsons like:
{
"manifest_version": 2,
"content_scripts": [ {
"js": [ "HelloWorld.js" ],
"matches": [ "*://*/_/chrome/newtab*" ]
} ],
"name": "Chrome start test",
"description": "Runs on the Chrome Start page",
"version": "1"
}
...run perfectly well on the Start page.
How can I go about redirecting chrome in an extension when visiting a given URL?
For example: when I visit http://yahoo.com/ I want it to redirect to http://google.com/
NOTE: A former version of this question asked whether there is any Google chrome extension which automatically redirects the tab when it visits a certain URL. Accordingly, the (currently two) answers below address different questions.
There are many options, the one more convoluted than the other.
The webRequest API, specifically the onBeforeRequest event. (Even better, the upcoming declarativeWebRequest API).
Content scripts. Inject location.replace('http://example.com') in a page.
The tabs API. Use the onUpdated event to detect when a page has changed its location, and chrome.tabs.update to change its URL. Avoid an infinite loop though!
The first one is the best one, because it is activated before a page is even requested. The second one can be activated after the request has been fulfilled, but before the page is rendered ("run_at":"document_start") or after it's rendered ("run_at":"document_end"). I mentioned the last one for completeness, but you shouldn't use it, because the other options are way better.
Here's an example using the webRequest API, a simple extension which allows me to browse pages on the Pirate bay, even though the main hosts are taken down by my ISP (the actual list of URLs is much longer, but I have omitted them for the sake of the example).
See match patterns for an explanation on the URL formats.
manifest.json
{
"name": "The Pirate Bay",
"description": "Redirect The Pirate Bay to a different host",
"version": "1.0",
"manifest_version": 2,
"background": {"scripts":["background.js"]},
"permissions": [
"webRequest",
"*://thepiratebay.se/*",
"*://www.thepiratebay.se/*",
"webRequestBlocking"
]
}
background.js
var host = "http://tpb.pirateparty.org.uk";
chrome.webRequest.onBeforeRequest.addListener(
function(details) {
return {redirectUrl: host + details.url.match(/^https?:\/\/[^\/]+([\S\s]*)/)[1]};
},
{
urls: [
"*://piratebay.se/*",
"*://www.piratebay.se/*"
],
types: ["main_frame", "sub_frame", "stylesheet", "script", "image", "object", "xmlhttprequest", "other"]
},
["blocking"]
);
I know I am a bit late in the game to answer this question Still I would like to answer this for future readers. Have a look at
Requestly - A Chrome Extension to modify Network Requests.
Currently, You can setup rules for
Redirect a request URL to another url.
Block some requests.
Replace some part in URL with another string
Modify Headers (Add/Remove/Modify Request and Response Headers)
Screenshots for more understanding:
List of Rules
Rule Type Cards
New Redirect Rule
Headers Modification Rule
There are lot of things in roadmap to be covered in requestly like
Switching User Agents
.. and a lot more.
PS: I have created this So you can blame me if you do not find this helpful :)
You could use my extension. Go to "Rewrite Rules" tab, click the "+" button and add a new rewrite rule. Note that the rewrite rule is actually an RegEx so characters like / must be escaped
https://chrome.google.com/webstore/detail/dev-helper/kbbgddcndpjnadfacanamniaomcohlcc?hl=en
I'm new to extension development, maybe someone has a small example ready for my problem.
I plan a more complicate code (that will execute chromium API functions), but solving this task should help me get started:
I want to create an extension that triggers a popup or alert() (just anyything) based on a website javascript call.
So for example my website has a button, when clicked on the button a javascript with a few parameters is executed.
My extension picks those parameters up and executes APIs (for my example just any popup) based on the parameters.
In my basic example I'd like to trigger some sort of popup/notification with the text supplied by the website javascript.
Also only my website domain should be allowed to trigger that, anything else should be rejected.
I'd really appreciate help.
Here is my "empty" manifest
{
"name": "Special API",
"version": "1.0",
"description": "API demo extension.",
"browser_action":
{
"default_icon": "gears.ico",
"popup": "show_credits.htm"
},
"permissions": [
"http://www.mywebsite.com/"
]
}
Here the example button in my website.com/example
<html>
<body>
<button onClick="extension_do_exec('Hellow world','abcabc')">Execute extension function</button>
</body>
</html>
The approach you described is problematic, bacause javascripts of web-pages, and javascripts of extensions are isolated from each other (there is a concept of isolated world). So it is not possible to get a value "supplied by the website javascript" directly into the extension's javascript. I'd suggest another approach. You possibly could exchange with some values by assigning them as properties to DOM objects. These properties can be accessed from a content script, injected into the web-page. Of course, the content script can determine domain of the page and work as appropriate. As for popups, these are internal pages of an extension, and you should implement some kind of messaging between them and your content script.