Maybe are there some settings to disable this in extension context. Since I'm developing an extension it should be my own responsibility to not shoot my own goal. It is very frustrating to fiddle with this security thing that is totally out of reason when developing browser extensions.
I don't want to make whole browser insecure by disabling it globally. just for the scripts that are set in "content_scripts" section in manifest.json
Your manifest.json file should have the domain you're looking to use in the permissions:
"permissions": [
"http://*.domain.com/"
]
Related
I'm trying to allow users to add an Adblock Whitelist via a Chrome extension. To allow this there is the API like such:
1) Add The Ebates WhiteList
However if I add that link to a Chrome extension popup window the link doesn't go anywhere. My guess is that the Chrome extension execution context isn't aware of Adblock/able to support that API. Is anyone who is more of an extension wizard than myself able to verify that I'm correct in my assumption and that there is no workaround? Thanks!
I'm having trouble applying updates made to Progressive Web App manifest. Updating stuff works otherwise just fine, but if I change something from my manifest, like background_color, the launch screen color will not change. I have monitored my server to see that manifest.json is indeed fetched. Restarting phone doesn't apply the changes either, the only way seems to be to uninstall the PWA and add back to home screen.
On desktop, chrome developer tools show that the manifest is correctly fetched and the changes can be seen in the dev tools. Is this expected behavior? Is there a way to make changes to manifest apply after the PWA has already been installed?
This has been addressed in the official The Web App Manifest docs:
Note: If you update your manifest.json file in the future, those
changes won't be automatically picked up by the users unless they
re-add your app to their home screen.
So, this is indeed the expected behavior.
I know that this may be just me being stupid, but in a Chrome tab that has a page loaded with a URL which begins with chrome-extension://, can the scripts be online or use eval();? I know that browser or page actin oopups or app windows can't use it. Part of my extension opens a normal new tab with a page which uses eval();.
All pages running at the chrome-extension:// origin are subject to a default content security policy described here, specifically:
script-src 'self'; object-src 'self'
A popup is considered such a page, too, as is the invisible background page. If you open a file from your extension, it will be subject to it too.
You can either:
Relax (or tighten) the default policy for all pages with your manifest:
"content_security_policy": "[POLICY STRING GOES HERE]"
This way you can allow eval and friends by adding 'unsafe-eval' to script-src.
You can also allow loading external scripts by adding their origin to the policy; however, only HTTPS origins are allowed for MitM protection reasons.
However, it's important to remember that 'unsafe-inline' will be ignored regardless of your custom policy.
Relax (or tighten) the default policy for a specific page by declaring it sandboxed.
"sandbox": {
"pages": [
"page1.html",
"directory/page2.html"
]
// content_security_policy is optional.
"content_security_policy":
"sandbox allow-scripts; script-src https://www.google.com"
],
Sandboxed CSP can be more permissive, but still there are a couple of restrictions.
The price of sandboxing is losing access to Chrome API. The sandboxed script has to communicate via DOM messages with some privileged pages to do privileged things.
There's a guide in the documentation, "Using eval in Chrome Extensions. Safely."
For Apps, the situation is a bit different. Again, a default (and more restrictive) CSP applies, but you cannot modify it in the manifest.
Sandboxing approach still works, though.
To use eval, look at the policy "unsafe-eval" in https://developer.chrome.com/extensions/contentSecurityPolicy
Is it possible to disallow chrome extensions from a specific domain.
For example I want extensions that I install run on on other domain, but on the domain test.com I want no extensions at all.
I tried tools->extensions but there I can just disallow from incognito and some part of extensions everywhere.
Is it actually possible?
This is not possible. You have to either use incognito mode or create a separate user (chrome menu->Settings->Users) which doesn't have any extensions.
There's an Extension Automation that handles that for you:
https://chrome.google.com/webstore/detail/extension-automation/ghopjgdkodchjclkkfdekhjfomdbakkb
Automatically enables and disables extensions for specified sites. For simpler browsing and better performance.
The following code disable extensions for http://www.google.co.in/ and enables for other domains, you can customize it as needed; How ever it works only for extensions you create and at all installed instances
manifest.json
{
"name":"Browser Action Demo",
"description":"This Demonstrates Demo of Browser Action",
"browser_action":{
"default_icon":"screen.png",
"default_title":"Browser Action Demo"
},
"background":{
"scripts":["background.js"]
},
"manifest_version":2,
"version":"1"
}
background.js
function browseraction(){
chrome.tabs.query({"url":"http://www.google.co.in/"},function (tabs){
for(i=0;i<tabs.length;i++){
chrome.browserAction.disable(tabs[i].id);
}
});
}
window.onload=browseraction;
I have an extension with a background page, and by default this causes Chrome to persist after you close all windows, and puts the Chrome icon in the system-tray. I would like to avoid this -- I do not want my extension to cause the Chrome process to persist after closing all Chrome windows, nor do I want to cause Chrome to appear in the systray.
According to the only docs I could find on this indicates that the user can set this option globally across all extensions, but that isn't what I'm trying to do. I'd like the extension to be unassuming / unobtrusive, and don't want to change the user's browser behavior. Does anyone know how to accomplish this while retaining the ability to have a background page?
UPDATE
With manifest version 2 you can now run event pages that are not persistent. Event pages are very similar to background pages but are only loaded when needed by the extension.
Example from the event pages doc on setting a non persistent event script in your manifest:
{
"name": "My extension",
...
"background": {
"scripts": ["eventPage.js"],
"persistent": false
},
...
}
Here is a tutorial on migrating your Chrome extension to manifest version 2.
OLD ANSWER
Currently, if your extension has a background defined in the manifest.json file, it will run before Chrome is launched and continue after all windows of Chrome are closed. That is unless the user changes their settings like you mentioned. There may be future versions of Google Chrome that allow for different functionality but you, the developer, won't be able to get around this issue at this time.
An excerpt from the background manifest docs
Makes Chrome start up early and and shut down late, so that apps and extensions can have a longer life.
When any installed hosted app, packaged app, or extension has "background" permission, Chrome runs (invisibly) as soon as the user logs into their computer—before the user launches Chrome. The "background" permission also makes Chrome continue running (even after its last window is closed) until the user explicitly quits Chrome.