I'm working on Chrome extension, that need to work with another extension (Metamask).
Standard way of doing this is by window.ethereum object, but from content script this object is undefined.
I found Can the window object be modified from a Chrome extension? but all examples are blocked by CSP of website (in my case twitter.com)
Is there any way of bypassing CSP from chrome extension's context?
Related
I have a Chrome extension that contains a page, chrome-extension://foo/index.html
That page contains an iframe, which loads pages I do not own (not on the same domain).
I want to inject a script into that iframe from the Chrome extension - however, URLs starting with chrome-extension:// are not a valid match pattern for either the "permissions" or "content_scripts" field of the manifest (so I cannot inject it programmatically or declaratively). I am able to inject the script if I host my index.html file elsewhere (not as part of the Chrome extension), but it's annoying to have to have part of my Chrome extension hosted elsewhere. Is there any way to give my extension permissions to inject a script in an iframe inside a file that it owns?
I am building a chrome extension that redirects the tab to an html file if a url on a blacklist is loaded. This html file includes both continue and back buttons. The only problem is I am using chrome.webRequest.onBeforeRequest and I am unable to find a way to store the url that the request originates from. According to the MDN web docs there is a FrameAncestor property that allows you to access this url, but this is not supported by chrome. Are there any equivalent functions or work arounds?
I would like to serve files from a Chrome extension under different origin than the Chrome extension itself. Ideally, I would like that origins are multiple and can be configured. The idea is that then I can load them inside an <iframe> and they have their own isolated origin from anything else.
Use a sandbox (either as an iframe attribute or via the "sandbox" key in the manifest file) without the allow-same-origin directive. Then the page will have a unique origin (and it won't have access to APIs specific to the extension origin).
I have an iframe in my chrome extension that loads a website, I'd like to inject CSS and Javascript into the website but only when its loaded in my extensions iframe (so it doesn't get affected when the user browses to the site normally).
I was surprised that Chrome extensions have cross-domain security policies applied to them when they try to access the internals of an iframe even though they can make cross-domain XHR requests.
Is there an easy way to do this? I though I might be able to do it using executeScript but it requires a tab ID.
The only way to know if you are in an ifrmae is the window is not the top.
if (window == top) {
// Not in iframe
}
else {
// In an iframe
}
You can only do that for content scripts, not for stylesheets. What I usually do is within the content script, I check if it isn't in the top window, and then continue the script, otherwise I just end it.
Recap
Inject the Content Script for that URL
In the content script, check if the window property, if (window != top) { loadContentScript() }
Create the CSS in the JavaScript if you are too worried about it affecting. You shouldn't though if you use unique ids.
Hope that helped, I do that for a few extensions of mine.
I have an iframe within the main window named "test_iframe". I want to access the content of "test_iframe" within a Google Chrome extension. I understand that I can do this if I have requisite permissions given in manifest.json.
Can I access the content of this iframe from a background HTML page? Or can I access it in a content script which is part of that extension? (In the latter case I suppose I have to pass the iframe content from the content script to a background page as part of a message for further processing(?))
Let's say this test_iframe comes from http://frame.example.com. I would just inject a content script directly to frame.example.com (instead of the parent page) and do everything there.