Chrome extension with iframe: Domains, protocols and ports must match - google-chrome

Manifesto version 2 and his new content_security_policy is now necessary for chrome extension.
I read some docs about 'sandbox mode" which seems to be a workaround for inline javascripts, but I still have a big issue.
After some refactoring, I got the following error:
"Unsafe JavaScript attempt to access frame with URL chrome-extension://mafcgphdkdbjlngfndodameheehmfhac/eventpage.html from frame with URL chrome-extension://mafcgphdkdbjlngfndodameheehmfhac/DCE24DB153A80B735442BF97F168AE6C.cache.html. Domains, protocols and ports must match."
I can't understand why 2 files from the same extension doesn't have the same "Domains, protocols and ports"!
NB: Here is a part of my manifesto:
"permissions": [
"http://*/",
"tabs"
],
"background": {
"page": "eventpage.html",
"persistent": false
},
"sandbox": {
"pages": [
"sandbox.html",
"DCE24DB153A80B735442BF97F168AE6C.cache.html"
]
}
...

Sandboxed pages are allowed to bypass the extension's Content Security Policy in part because sandboxing forces them into a unique origin. They don't have access to the extension's special APIs, nor can they grab its data.
http://developer.chrome.com/trunk/extensions/sandboxingEval.html offers a description of the workflow we'd suggest you use with sandboxed pages. In short, you'll need to replace direct access between the frame and its parent with postMessage-based communication.

Related

How to make a Chrome Extension to redirect when specific pages are accessed in Manifest V3

I'm trying to make a Chrome extension that redirects to a pre defined page when a specified page is loaded.
I'm using webRequest for this, But now that I have to migrate to Manifest V3, webRequest can not be used anymore.
Can anyone help me with rewrite the script to make it work with Manifest V3?
Here's the script that I use to redirect pages:
var host = "http://example.com";
chrome.webRequest.onBeforeRequest.addListener(
function(details) {
return {redirectUrl: host + details.url.match(/^https?:\/\/[^\/]+([\S\s]*)/)[1]};
},
{
urls: [
"*://foo.com/demo*",
"*://www.foo.com/test/*"
],
types: ["main_frame", "sub_frame", "stylesheet", "script", "image", "object", "xmlhttprequest", "other"]
},
["blocking"]
);
I would not recommend using declarativeNetRequest for this task, it is very limited in its capabilities and has an awkward interface.
It sounds like you want to redirect the user prior to the page being loaded. If that's the case, you need to hook into the request/response lifecycle using chrome.debugger API. I describe how to do that here- his application seems easily adaptable to your own. This is the only way to get the same caliber request manipulation capabilities in MV3 as in MV2.
Alternative approach:
-Use the chrome.webNavigation API. This will just entail setting up event listeners/handlers for one or more of the following:
onBeforeNavigate -> onCommitted -> [onDOMContentLoaded] -> onCompleted
Here you can find many examples of other projects using this API.

Constantly getting the rejection - "Due to the Host Permission, your extension may require an in-depth review which will delay publishing."

I am trying to publish the extension to chrome app store. I tried many times but getting rejected every time,
the menifest file is:-
{
"name": "App name",
"description": "Blank!",
"version": "0.0.0.1",
"manifest_version": 2,
"icons": {
"128": "icon.png"
},
"background": {
"page": "background.html",
"persistent": false
},
"browser_action": {
"default_icon": "icon.png",
"default_popup": "popup.html",
"default_title": "Name"
},
"content_scripts": [
{
"all_frames": true,
"css": ["css/main.css"],
"js": [
"js/jquery-3.1.0.min.js",
"js/popup.js",
"main.js",
"js/dashboard.js"
],
"matches": [
"*://*.facebook.com/*/*/requests/",
"*://*.facebook.com/*/*/requests",
"*://*.facebook.com/*"
],
"run_at": "document_end"
}
],
"content_security_policy": "script-src 'self' https://apis.google.com 'unsafe-eval'; object-src 'self'",
"update_url": "https://clients2.google.com/service/update2/crx",
"oauth2": {
"client_id": "xxxxxx-xxxxxxxxxx.apps.googleusercontent.com",
"scopes": [
"https://www.googleapis.com/auth/spreadsheets"
]
},
"permissions": [
"tabs",
"storage",
"notifications",
"identity",
"*://*.herokuapp.com/*"
],
"web_accessible_resources": ["*.png"]
}
THe answers that I am submitting is like so-
Permission justification
Error Due to the Host Permission, your extension may require an in-depth review which will delay publishing.
tabs- to get the current tab url or location.
storage - to store the user token for authentication and user specific data.
notifications - to show the messages to the user when they logged in or logged out.
identity - to authorize user using google
Host permission -
https://.facebook.com/ = to get the facebook page URL and get the facebook group Id from the url
https://.facebook.com//*/requests/ = to get the request page inside the facebook and hence to activate the extension feature related to that group
https://.herokuapp.com/ = to access the apis from the backend server and to manage all the basic functionality.
Remote code - Yes, I am using remote code - I have called the google api module (https://apis.google.com) for adding the data to the user's given google sheet.
I have tried more than 5 time in a row, still gets rejects with the same error.
Let me know where I am making mistake.
Nobody knows how Chrome performs their reviews but at a minimum you should carefully go over the permissions, remove the ones you don't need and restrict the ones you have. I don't know how your extension works but it looks like there's a ton you can do here:
"tabs - to get the current tab url or location" - You shouldn't need this permission to get the current tab URL, only for more invasive queries.
"https://.herokuapp.com/" - This should be limited to the host you need to communicate to. Why would you need to communicate to any Heroku app at all?
"storage - to store the user token for authentication and user specific data." - Are you sure you need this? Test without it.
"script-src ... 'unsafe-eval'" - This is a massive security risk. You'd be best to change your implementation to not need this.
"object-src 'self'" - Why do you need this? You probably don't.
For the content_security_policy, you'd be better adding "default-src 'none';" to remove all permissions, then only add in only the ones you need.
"Remote code - Yes, I am using remote code - I have called the google api module" - Why do you need remote code for this? You should be able to implement this with JavaScript contained within your app + HTTP requests.
Hope that helps. The opaque Chrome review process is horrible.
For me, I was getting that message not because it was failing the review, but because I had not yet filled out the box "Host permission justification". You need to fill out this in order to be able to submit, otherwise it fails the form validation as it's a mandatory field.
In my case host permission was required because I was using a regex for a content script in the manifest file.
After completing the host permission justification field, I was able to submit. As the message suggests, requiring this permission could mean the review takes longer than if it is not required.
I have found that it's necessary to submit the privacy policy and terms of services links to the chrome store account section.
Hope it worked for you also.

How to filter URLS in chrome extension that do not start with http or https

I am learning how to write Chrome extensions, and am doing so because of a tool I need for testing in our local enviornment. I am trying to make the manifest file's section where you tell it what URLs to run against, but our testing enviornment urls are not working with it. We map the domains for example like this:
Example.com instead of http://example.com
Though, when I place this in my manifest settings, it gives me an error for invalid url without a
Manifest code here:
{
"manifest_version": 2,
"name": "K Domain Cleaner",
"version": "0.1",
"content_scripts": [
{
"matches": ["<all_urls>"],
"js": ["jquery.js", "kc-domaincleaner-1.0.js"]
}
]
}
When I try to set matches property like so:
{
"manifest_version": 2,
"name": "K Domain Cleaner",
"version": "0.1",
"content_scripts": [
{
"matches": ["Dev3.com"],
"js": ["jquery.js", "kc-domaincleaner-1.0.js"]
}
]
}
I get the following error:
Failed to load extension from: ~\Desktop\Chrome Extensions
Invalid value for 'content_scripts[0].matches[0]': Missing scheme separator
So It will not only run under our testing domains. Why can I not use a prefix of http://, and is there a way around this. http://Dev3.com is totally different then Dev3.com. Thanks in advance.
This is an invalid URL.
A URL by definition must contain the scheme. Without it, it can be interpreted as an address, but not as what (and how) you want to access at that address.
If you're entering a domain name without a scheme in the address bar, it's assumed to be http: by default, just like not entering a port assumes some default (that depends on the scheme).
In that context "http://Dev3.com is totally different then Dev3.com" makes no sense, though it is strictly true: one is a valid URL, and another is just a string (that happens to be a valid domain name).
Do note: Chrome simply hides http:// from the address bar, but it's implicitly there. That may be the source of your confusion. Rest assured that http://example.com will cover an address that's displayed in the address bar as example.com.
As wOxxOm mentions, you should take a look at the docs as well.

Access local chrome-urls in chrome-app

How can I get access to the local chrome-urls to receive content from there? For example use an iframe for chrome://version or access the content directly with AJAX.
Any ideas? I tried the following permission:
{
"manifest_version": 2,
"app": {
"permissions": [
"chrome://*",
"chrome://version"
]
}
}
--> "Not allowed to load local resource"
I had a look at the possible permissions but didn't find anything that fits my expectation. https://developer.chrome.com/extensions/declare_permissions
Thanks a lot in advance
Nope, you can't access chrome:// URLs in an app.
It's indirectly possible in an extension through tabs API, but there's nothing for the moment that can allow an app to do that.

How can I include TTS in a Chrome App?

I'm trying to use text-to-speech in a Chrome app, but I'm getting an error when trying to load the app.
My manifest.json looks like this:
{
"name": "APPNAME",
"description": "DESCRIPTION",
"version": "3",
"app": {
"urls": ["APPURL"],
"launch": {"web_url": "APPURL"}
},
"icons": {"24": "icon24.png", "128": "icon128.png"},
"permissions": ["tts"]
}
The error I'm getting reads "Could not load extension from <PATH>. Access to permission 'tts' denied."
Removing the "app" part of the manifest seems to allow it to load without problems. That would make me think that TTS is limited to Chrome extensions, but the docs suggest otherwise. Changing the "tts" permission to the "cookies" permission results in the same error, but changing it to "clipboardRead" does not.
I'm attempting to load the app via: Tools > Extensions > Load unpacked extension, and I'm using Chrome 16 on Ubuntu 11.10.
Can anyone tell me what I'm doing wrong?
It turned out that some permissions are only available for extensions and packaged apps. I was trying to use tts with a webapp, which is unfortunately not available.
That said, the Web Speech API is now available, along with Speech Synthesis.