The title says it all - is message passing between an extension background page and an injected script that runs on the website being visited totally private?
For example, on chrome you have chrome.runtime.sendMessage() and chrome.tabs.sendMessage() as documented in https://developer.chrome.com/apps/messaging
Do I need my message data to be unique in case another extension happens to use the same name for fields in the data?
If I was using window.postMessage() I would make sure my message was unique, do I need to do the same in the extension message passing?
Thanks ...
Related
I'm working on a Chrome extension to (among other things) support a page with multiple iframes, each of which loads a page from some other domain. I need to send a msg to the page loaded a specific one of those iframes. The top-level page and the pages in the iframe each have their own content scripts, so the full messaging API is available.
From the top page, when I do chrome.runtime.sendMessage(), all the iframes get it (as does the top window, but it's easy for its content script to know that that particular msg isn't intended for it). Is there any way to target a specific one of those iframes, or for the desired iframe page to know that the msg is for it?
Note that...
The top page can't access anything in iframe pages directly, because they're from other domains.
The top page knows the URL that was originally loaded in each frame, but the user may have navigated from there, so including the target URL as a msg parameter for the receiving script to check won't work.
Is there something obvious I'm missing here?
UPDATE: #wOxxOm's answer was very helpful, but I'm still stuck on how to get the frameIds I need.
More specifically, I need to do two things with those iframes, both of which need that frameId:
Inject a script into each iframe
Send msgs to a specific iframe in response to user actions on the top-level page
All of this is complicated by the fact that the iframes are created and removed dynamically as the user works.
One idea I had is to initially load each new iFrame with the URL "about:blank?id=nnn", where nnn is the DOM id of the corresponding iframe element. That way, when I call getAllFrames(), I can recognize the new iframes by that URL, and build a lookup of frameIds for each DOM id. Once that's done, I can load the real URL, inject the script once it's loaded.
That seems so roundabout, I'm hoping I've missed some supporting API or other straightforward approach.
I did find a solution, but it's pretty indirect. I hope this is clear; all these moving parts are the nature of the beast as I understand it.
Here's what I ended up doing:
Added a name attribute to each iframe, the same as its DOM id.
When the page in each iframe loads, a global content script calls chrome.runtime.sendMessage(), passing that name, which it can access as window.name.
The background script gets that msg, with the frameId of that iframe as sender.frameId, and calls chrome.tabs.sendMessage(), passing the frameId and window name.
The top-level page's content script builds a lookup object from those window-name (AKA iframe DOM id) / frameId pairs.
When the top-level page's content script wants to send a message to any of the iframe pages, it looks up the target's frameId in that lookup object, then calls chrome.runtime.sendMessage(), with a message type that indicates it's for a specific iframe, and including that frameId.
In response, the background script sends it on to the requested iframe's content script with chrome.tabs.sendMessage(), passing {frameId: request.frameId} as the 3rd parameter, as wOxxOm suggested.
This is working here, but by all means let me know if there's a simpler way to do this.
I am trying to build a simple chrome extension so that when a form on a webpage in a specific website is populated and the user presses Submit then the data in the form is captured and then some of that data is injected into another form running on a different website.
I have no access to edit the code for either of the forms so a chrome extension seems to be the best way to do this from what I have read.
I would like to know if this is possible and how to go about it
It is possible using Content Scripts, a Background Page, and/or Chrome.storage
You will need Content Scripts on both websites that have the forms. Use the Manifest File correctly to set up which websites to attach which Content Scripts to.
The first Content Script (the one reading the form being filled and submitted) will have to take the values of each form input, triggered by the submit button.
Then you will need to use Message Passing to send a message (containing all the form data) from that Content Script to your Background Page. The data can be held temporarily or saved into chrome.storage by the Background Page.
Then the second form's Content Script also uses Message Passing to request the data from Background Page, which is delivered from temporary holding or retrieved from chrome.storage then sent.
And finally the second Content Script modifies its website's form to fill in the values.
Lets say I have a chrome extension which watches which url the user is at, could this chrome extension look for a special delimiter in the url(like a hash fragment) to signal an action to take? Here's an example:
The user clicks the link
https://google.com#signaltoextension
The extension could then check the url for the #signaltoextension and take some action.
The problem with this approach is, what if the url already has a hash fragment on it?
could I do something like this?
https://google.com#preexistinghashfragment##signaltoextension
Basically, I'm looking for a proper delimiter that allows a user without the extension to follow the link without consequence, but if a user has the extension for it to take action.
Here's my use case:
A user with the extension is at the link:
https://google.com
He wants to associate some information with this link to share it with another user. Lets say, in the extension he associates the information "google rocks" with google.com, the extension sends this to the my server along with the user's username, lets say his username is linkguy. Then linkguy shares the link https://google.com{delimiter}linkguy with another user. The other user visits this link, the extension sees the delimiter, queries the server for google.com{delimiter}linkguy, then the extension displays "google rocks". If someone who does not have the extension clicks the link, it should simply follow the link without consequence.
Well, no. There can only be a single fragment identifier, and you will break the existing one.
Moreover, the fragment identifier is often processed by both the server (analytics tracking) and the client-side code, so passing a fragment identifier is not guaranteed to be "without consequence".
You can, in principle, try to catch such a "special" identifier with WebRequest and cut it out before the request is sent. But for people without the extension, that would break it.
I couldn't make a request to a remote server using JavaScript in the onload function due to access is denied insanity. So, just to make CRM obey, I set up an IFRAME and connect that to a HTML page running my JavaScript. Now, provided that I get some values inside the script (run in an IFRAME) how can I communicate them to a method in the holding parent?
Not quite sure how to explain it more detailed so please feel free to ask.
The access is denied is the Same Origin Policy. You're going to run into the same problem from the IFRAME unless you're serving the page or just the script src from the same server you're subsequently trying to make the AJAX request to.
Assuming you are doing the latter then you just need to make sure you have unchecked the "Restrict cross-frame scripting" option on the IFRAME you added to the CRM form. From the IFRAME you will now have access to your function that you've defined at global scope on the parent CRM form via window.parent.yourfunctionNameHere(xyz).
postMessage sounds like it might fit.
window.postMessage, when called, causes a MessageEvent to be dispatched at the target window when any pending script that must be executed completes (e.g. remaining event handlers if window.postMessage is called from an event handler, previously-set pending timeouts, etc.). The MessageEvent has the type message, a data property which is set to the string value of the first argument provided to window.postMessage, an origin property corresponding to the origin of the main document in the window calling window.postMessage at the time window.postMessage was called, and a source property which is the window from which window.postMessage is called.
To use window.postMessage, an event listener must be attached:
// Internet Explorer
window.attachEvent('onmessage',receiveMessage);
// Opera/Mozilla/Webkit
window.addEventListener("message", receiveMessage, false);
And a receiveMessage function must be declared:
function receiveMessage(event) {
// do something with event.data;
}
The off-site iframe must also send events properly via postMessage:
<script>window.parent.postMessage('foo','*')</script>
Any window may access this method on any other window, at any time, regardless of the location of the document in the window, to send it a message. Consequently, any event listener used to receive messages must first check the identity of the sender of the message, using the origin and possibly source properties. This cannot be understated: Failure to check the origin and possibly source properties enables cross-site scripting attacks.
Source: https://developer.mozilla.org/en/DOM/window.postMessage
Recently I had the joy of connecting to a web service and retrieve some data. When that’s been achieved, I found myself sitting on the said data not exactly knowing where to put it.
To make the long story short, I used the following source code.
parent.window.Xrm.Page.data.entity.attributes
.get("new_Konrad").setValue("Viltersten");
Notable is the fact that in order to communicate with the parent form, the HTML file (where my JavaScript resided), needed to be placed as a web resource within the CRM structure. By other words, just by pointing to an external “http://some.where/some.thing” we can consume a service but won’t be able to convey the obtained information up the CRM server, at least not when developing a solution for the on-line version.
Is it possible to catch the request of a page before it is sent out? I would like to check and modify the data sent out. For example if I have a text box on a page and the form was submitted I would like to get to the data of the text box using the extension modify it and then send it on it's way.
If any one can point me in the right direction that would be grate
Chrome has chrome.experimental.webRequest API module which allows to catch web requests before they are sent, but from the docs it doesn't look like you can modify them, just observe.
I think you would be better off injecting a content script to pages and listening to onbeforesubmit event on forms.