I have a Chrome extension that can (if you allow access to file URLs) grab your local pdf file that you have open in chrome and send it on to our API for processing. This is done by fetching the pdf with XMLHttpRequest to file:///Users/user/whatever/testfile.pdf from the background script.
When migrating to manifest v3 for a Chrome extension the background script becomes a service worker. In a service worker only fetch is available, not XMLHttpRequest. Problem is, fetch only supports http and https, not file:// urls. So how can I make the same feature of having the Chrome extension fetching/getting the local file?
EDIT: Things I also tried:
Making the XMLHttpRequest from injected iframe as suggested by answer.
This gives error net:ERR_UNKNOWN_URL_SCHEME when making the request
Making the XMLHttpRequest from injected content script.
This gives error Access to XMLHttpRequest at 'file:///.../testfile1.docx.pdf' from origin 'null' has been blocked by CORS policy: Cross origin requests are only supported for protocol schemes: http, data, chrome, chrome-extension, chrome-untrusted, https.
From what I can understand from a lot of research access to file:// is in general blocked and Chrome extension background scripts used to be an exception to this. Seems to me it was never allowed from content scripts or action popups.
My manifest.json for reference:
{
"manifest_version": 3,
"name": "..",
"version": "0.1",
"icons": {
"16": "assets/icon-16x16.png",
"48": "assets/icon-48x48.png",
"128": "assets/icon-128x128.png"
},
"action": {
"default_title": ".."
},
"background": {
"service_worker": "background.js"
},
"permissions": [
"webRequest",
"activeTab",
"scripting",
"storage",
"unlimitedStorage",
"identity",
"pageCapture"
],
"host_permissions": [
"<all_urls>"
],
"web_accessible_resources": [{
"resources": ["iframe.html"],
"matches": [],
"extension_ids": []
}]
}
The content script is injected programmatically (using webextension-polyfill for promise support)
browser.action.onClicked.addListener(async (tab: Tab) => {
await browser.scripting.executeScript({files: [ "inject.js" ], target: {tabId: tab.id}});
});
Chrome 98 and older can't do it in the background service worker for the reasons you mentioned.
There was also a bug that prevented doing it in a normal visible chrome-extension:// page or iframe. It's fixed in Chrome 91.
Solution
Use fetch in Chrome 99 and newer.
In older versions use the following workarounds.
Workaround 1: File System API, Chrome 86+
A ManifestV3 extension can use the new File System API to read the contents of the file, for example inside the iframe exposed via web_accessible_resources.
Workaround 2. Extension frame, Chrome 91+
Use a content script that runs in the tab with that pdf:
matches in manifest.json should contain <all_urls> or file://*/* and file access should be enabled by the user in
chrome://extensions UI for your extension. Alternatively you can use
activeTab permission and programmatic injection when the user
clicks your extension's icon or invokes it through the context menu.
The content script adds an invisible iframe that points to iframe.html file exposed in web_accessible_resources
The iframe.html loads iframe.js which uses XMLHttpRequest as usual. Since the iframe has chrome-extension:// URL its environment
is the same as your old background script so you can do everything
you did before right there.
Workaround 3. Extension window/tab, Chrome 91+
An alternative solution is to use any other visible page of your
extension like the action popup or options page or any other
chrome-extension:// page belonging to your extension as they can
access the file:// URL via XMLHttpRequest same as before.
Notes
File access should be enabled in chrome://extensions page for this extension.
Related
As we know, by default chrome extensions doesn't have access to chrome:// pages such as chrome://extensions and chrome://settings. ( Of course we can change chrome://flags/#extensions-on-chrome-urls flags however the following question is based on that we didn't change the default flags).
Recently I happen to find ChromeVox (offered by chrome.google.com) can work well in all pages including chrome:// pages. I checked the source code for this extension and find as long as we add the following line in manifest.json for any extension, the extension can work well in chrome:// pages.
"key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDEGBi/oD7Yl/Y16w3+gee/95/EUpRZ2U6c+8orV5ei+3CRsBsoXI/DPGBauZ3rWQ47aQnfoG00sXigFdJA2NhNK9OgmRA2evnsRRbjYm2BG1twpaLsgQPPus3PyczbDCvhFu8k24wzFyEtxLrfxAGBseBPb9QrCz7B4k2QgxD/CwIDAQAB"
So it looks like chrome has something like whitelist to allow specific extensions to break the default restrictions. Am I right? Is there official guide to clarify this behavior?
Appendix:
The following is a sample extension, you will find with the key, console will output test even in chrome://extensions pages; however once removing the key, nothing happens.
manifest.json:
{
"manifest_version": 2,
"name": "Test",
"version": "1.0",
"content_scripts": [
{
"matches": [
"<all_urls>"
],
"js": [
"content.js"
]
}
],
"key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDEGBi/oD7Yl/Y16w3+gee/95/EUpRZ2U6c+8orV5ei+3CRsBsoXI/DPGBauZ3rWQ47aQnfoG00sXigFdJA2NhNK9OgmRA2evnsRRbjYm2BG1twpaLsgQPPus3PyczbDCvhFu8k24wzFyEtxLrfxAGBseBPb9QrCz7B4k2QgxD/CwIDAQAB"
}
content.js:
console.log('test');
"key" property in manifest.json uniquely defines the extension's ID in encrypted form.
Some Google extensions are unfairly(?) whitelisted by ID in the source code of chromium.
In this case, ChromeVox:
scripting_whitelist_.push_back(extension_misc::kChromeVoxExtensionId);
And then this whitelist is checked to see whether an extension can run everywhere in PermissionsData::CanExecuteScriptEverywhere, which is accessed in CheckRestrictedUrls where we can see restricted schemes: chrome://, chrome-extension://, chrome-debugger://
I'm developing a Google Chrome Extension and facing a challenge with the background; the browser doesn't load the background picture added in CSS.
I can't seem to find an effective way to declare assets under the web_accessible_resources key in the manifest.json file.
What is the manifest.json file and how does one declare assets in it?
A manifest.json file is required for any Chrome extension. The manifest.json file contains information that defines the extension. The format of the information in the file is JSON.
You can read more about what it contains in Google Chrome developer documentation: Manifest File Format
You will probably also want to read: Overview of Google Chrome Extensions
A relatively simple manifest.json file looks like (source: Getting Started: Building a Chrome Extension):
{
"manifest_version": 2,
"name": "Getting started example",
"description": "This extension shows a Google Image search result for the current page",
"version": "1.0",
"browser_action": {
"default_icon": "icon.png",
"default_popup": "popup.html"
},
"permissions": [
"activeTab",
"https://ajax.googleapis.com/"
]
}
Manifest - Web Accessible Resources:
This is an array of strings assigned to the key web_accessible_resources within your manifest.json file which specifies the assets within your extension that are to be made accessible by webpages. The file/path within manifest.json is relative to your extension's root directory. The webpage can access the resource from a URL that looks like: chrome-extension://[PACKAGE ID]/[PATH].
Example (source:Manifest - Web Accessible Resources):
{
...
"web_accessible_resources": [
"images/*.png",
"style/double-rainbow.css",
"script/double-rainbow.js",
"script/main.js",
"templates/*"
],
...
}
For more information on web_accessible_resources see Google Chrome developer documentation: Manifest - Web Accessible Resources.
I'm trying to make a Chrome Extension which scrapes some details from Pull Requests on Github using the Fetch API, and then displays them elsewhere. I'm running into some problems when I try to use this with a non-public repository on Github. I believe this is related to CSRF protection, and the rules that govern Chrome extensions having access to session cookies.
I have the following in my extension's manifest.json:
"content_scripts": [{
"matches": [
"*://github.com/*/*/pulls"
],
"js": ["script/underscore-1.8.3.min.js", "script/content.js"]
}],
"permissions": [
"tabs",
"activeTab",
"*://github.com/*",
"webNavigation"
]
But when I run the following from within my script/content.js:
fetch('/redacted/redacted/pull/4549', {credentials: 'same-origin'}).then((response) => {
return response.text();
}).then((text) => {
// do cool stuff
})
This produces a 404 response from Github. Inspecting this request with Chrome Inspector's network tab, I can see it is not sending my GitHub session header with the request.
If I make the very same request using the Javascript prompt in the Inspector, I can see a 200 response, and I can see that it is sending my session cookies.
My understanding was that specifying the Github domain in my manifest.json would mean my extension would have access to my session data in my content scripts, is this not correct? What should I be doing to make a valid request to this protected content?
According to Chrome blog, to include cookies you need credentials: 'include' instead of credentials: 'same-origin'.
Specifying github in the permissions only gives access to the host, its there to limit damage if the extension/app is compromised by malware (source).
Its not indicated in the content script documentation that session data can be retrieved in content scripts, just their DOMs. I think it would be better if you use and incorporate the official Github API in the chrome extension project you're creating.
I'm pretty new at chrome extensions and am trying to make a simple one that automatically launches links in my emails. I am going to modify it a bit later on, but for now, this is all I am trying to do. How do I have a chrome extension automatically read the text of the current tab that I am on, or when I open emails if I can get that specific? I have a manifest file set up and currently can make the extension button launch a link, but I'd rather have this happen automatically, as I don't want to hit a button to launch a link when I could just click the link itself.
manifest.json
{
"manifest_version": 2,
"name": "MT task launcher",
"description": "This extension launches Task Links in emails",
"version": "1.0",
"background": {
"scripts": ["task.js"]
},
"browser_action": {
"default_icon": "icon.png",
"default_title": "Email Task Launcher"
},
"permissions": [
"activeTab"
]
}
task.js
chrome.browserAction.onClicked.addListener(function(tab) {
var action_url = "http://www.reddit.com";
chrome.tabs.create({ url: action_url });
});
Take a look at Official Guide, for your purpose, I think you should use content scripts ( which are injected into current web page), then read the DOM and get all the links. To open the links, you can either call window.open() or by passing message then open them via chrome.tabs.create
There are two options to do that, it's either edit the local copy of the extension or to inject the call to the extension.
Inject code as a Content script, use the matching rules as defines in the manifest file
A background page file use the 'chrome.tabs.onUpdated' event. Also, use the 'chrome.tabs.executeScript' method to inject script.
Okay, this is weird.
This is my extension, and it works flawlessly in Windows (atleast on two win7 machines), but when I tested it on linux (CentOS6 and Fedora18) it failed to do anything when its icon was clicked (it should, at the very least, display an alert).
The options page still works, and saves data properly.
After enabling developer mode in chrome://extensions/ you can click _generated_background_page.html for the extension to see the JS console for the addon.
That's where I saw the following error:
Error during tabs.executeScript: Cannot access contents of url "https://www.google.com.au/". Extension manifest must request permission to access this host.
actual url in error is not relevant, does it to all sites
Thing is, the windows machines showed no such error, shouldn't this be platform independent?
The manifests are obviously the same, so how come the addon hasn't the required permissions only on linux machines?
Mac is untested, if someone could try that for me, it might be useful
FURTHER INFORMATION
The error message above was given with the following information;
Located in the function chromeHidden.handleResponse on line 22 of the script sendRequest
The "activeTab" permission was added in Chrome 26. Make sure that you've installed Chrome/Chromium 26+.
If you want to make your extension compatible with older browsers in the Chrome Web Store, add host permissions to the manifest file, plus the minimum_chrome_version key:
First upload an extension with the following manifest file:
{
"name": "Name of extension",
"version": "1.0",
"manifest_version": 2,
"permissions": [
"<all_urls>"
]
}
Then bump the version, change "<all_urls>" to "activeTab", add the "minimum_chrome_version" field and upload it again to the Chrome Web Store:
{
"name": "Name of extension",
"version": "1.0.1",
"manifest_version": 2,
"permissions": [
"activeTab"
],
"minimum_chrome_version": "26.0.0.0"
}