I'm creating a chrome extension that should be able to be accessed by the user on any website they are on. I don't have any content scripts, only popup.js and background.js. Would I need to have my host permissions in manifest V3 like this? Or am I able to omit the host_permissions?
"host_permissions": [ "*://*/*" ]
No, you don't need to add host permission unless your extension needs to interact directly with the users browser/client data, for example cookies, webRequest, and tabs.
this article helps:
https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/host_permissions#:~:text=Use%20the%20host_permissions%20key%20to,a%20request%20for%20a%20permission.
Related
Is it possible to change the 'matches' value in my Chrome extension's manifest.json file after installation? Maybe through an options page or something? I'd like to provide the ability to lock my extension to a domain but the domain will change per user afterwards.
"matches": [ "*://*.whatever.com/*" ],
I'd like my options page to be able to change this value. Does anyone know if this is possible or practical? And if so how might I do it?
I would like to serve files from a Chrome extension under different origin than the Chrome extension itself. Ideally, I would like that origins are multiple and can be configured. The idea is that then I can load them inside an <iframe> and they have their own isolated origin from anything else.
Use a sandbox (either as an iframe attribute or via the "sandbox" key in the manifest file) without the allow-same-origin directive. Then the page will have a unique origin (and it won't have access to APIs specific to the extension origin).
After reading blogs and some stackoverflow answers while building a chrome extension, I had for some reason thought that we cannot make an ajax call to a REST API hosted on server that comes under another domain than the hosted page. Is this correct? While developing my extension, I mistakenly made a call from a content script on clicking a button on my extension UI (UI is injected into the DOM using content script). I did not ran into any error. Everything went smooth. The host page in my test case is infact a page from stack overflow, and the REST API is hosted on my localhost. Could it be because the api was on local host?
From Chrome XHR documentation:
Regular web pages can use the XMLHttpRequest object to send and receive data from remote servers, but they're limited by the same origin policy. Extensions aren't so limited. An extension can talk to remote servers outside of its origin, as long as it first requests cross-origin permissions.
Furthermore, from the Content Script documentation:
Content scripts can also make cross-site XMLHttpRequests to the same sites as their parent extensions [...]
So the only thing you need is to add your API endpoint to host permissions in the manifest:
"permissions" : [
"*://api.example.com/*"
]
I am working on a Chrome extension that needs to inject scripts into data:-URI pages.
When trying to execute the javascript I get an exception:
Error during tabs.executeScript: Cannot access contents of url "data:text/html;charset=utf-8, … ". Extension manifest must request permission to access this host.
But which permission would work for me? I tried data:*, <all_urls>, *://*/* - none of these worked. Also the activeTab permission did not do the trick. Any ideas?
It's currently a chromium bug that extensions cannot work on data URIs. A fix is going in that will rectify this, hopefully landing in Chrome 66.
Values set in local storage in background.html could not be accessed in javascripts loaded using content_script entry of manifest.json and vice versa. is this the default function of localstorage ? or am i missing something.
For example if i storing a value from myscript.js which is injected for each page load that could be accessible within myscript.js when i tried to access that in background.html it says undefined.
The same happens when i set a localstorage in background.html and try to accesss in myscript.js i couldn't were as it can be accessed in the page or script where it has been created or set.
Is this the default behavior or am in missing something?
This is the default behaviour.
Content scripts injected into normal webpages can't access your extension's local storage.
And your extension's manifest can't access local storage, either.
Also see Do popup.html and background.html share the same local storage?