Content Security Policy doesn't allow mixed content - google-chrome-extension

I am trying to access an internal machine of my network via chrome extensions. I am calling a php file from my chrome extension. I am using manifest file as follows:
{
"content_scripts": [ {
"js": [ "lib/jquery.js", "lib/jquery-ui.js", "lib/util.js" ],
"matches": [ "*://plus.example.com/*", "*://tools.example.com/*" ]
}, {
"js": [ "tools/g_tool.js" ],
"matches": [ "*://plus.example.com/*" ]
}, {
"js": [ "tools/b_tool.js" ],
"matches": [ "*://tools.google.com/*" ]
} ],
"icons": {
"128": "images/icon_128.png",
"16": "images/icon_16.png",
"48": "images/icon_48.png"
},
"manifest_version": 2,
"name": "Tool",
"permissions": [ "*://plus.example.com/*", "*://tools.example.com/*", "http://myusername-example.com/*"],
"version": "0.7",
"web_accessible_resources": [ "images/loading.gif" ]
}
The internal machine which I am using can be used only via http. So, I am looking around for a way to use it in my chrome extension.

Related

Linking to local files within css file

I'm attempting to completely overhaul a websites css and possibly html and just trying to find a way that works for me.
The problem is that within an extension local css file I'm also trying to define a font url via extension local files.
manifest.json:
{
"name": "Test theme",
"description": "Custom theme for Darkmass.gg.",
"version": "0.0.1",
"manifest_version": 3,
"content_scripts": [
{
"matches": [
"https://*.example.com/*"
],
"css": [
"./css/main.css"
],
"js": [
"./js/app.js"
],
"run_at": "document_end"
}
],
"web_accessible_resources": [
{
"resources": [ "./media/*" ],
"matches": [ "https://*.example.com/*" ]
}
]
}
main.css:
#font-face {
font-family: NFLDolph;
src: url('chrome-extension://ipbedjgbhlnngdddbaojpnaicdpifmgd//media/fonts/NFLDOLPH.TTF');
}
The problem clearly lies with the source url for the NFLDolph font-face, if I just leave it as ./media/fonts/NFLDOLPH.ttf than it just tries to load the font from example.com instead of locally.
And here is the error I get:
Denying load of chrome-extension://ipbedjgbhlnngdddbaojpnaicdpifmgd//media/fonts/NFLDOLPH.TTF. Resources must be listed in the web_accessible_resources manifest key in order to be loaded by pages outside the extension.
I made a sample.
manifest.json
{
"name": "NFLDolph",
"version": "1.0",
"manifest_version": 3,
"content_scripts": [
{
"css": [
"main.css"
],
"matches": [
"<all_urls>"
]
}
],
"web_accessible_resources": [
{
"resources": [
"font/*.TTF"
],
"matches": [
"<all_urls>"
]
}
]
}
main.css
#font-face {
font-family: NFLDolph;
src: url("chrome-extension://__MSG_##extension_id__/font/NFLDOLPH.TTF");
}
* { font-family: NFLDolph, serif }

Not running at document_start

My extension doesn't run at document_start. The manifest.json:
{
"manifest_version": 3,
"name": "Lift Web Restrictions",
"description": "Simple extension that removes most ads, web restrictions, adds mods to MooMoo.io / Krunker.io / and more!",
"version": "0.0.5",
"icons": {
"16": "logo/sw16.png",
"48": "logo/sw48.png",
"128": "logo/sw128.png"
},
"permissions": [],
"host_permissions": [
"*://*/*"
],
"background": {
"service_worker": "service-worker.js"
},
"web_accessible_resources": [
{
"resources": ["modules/script.js"],
"matches": ["*://*/*"]
}
],
"content_scripts": [{
"js": [
"modules/transfer.js"
],
"matches": ["http://*/*", "https://*/*"],
"all_frames": true,
"run-at": "document_start"
}]
}
There's a console.log within modules/transfer.js, however the page's script tag beats it.
Launching egAps
index.bf049c93.js?52f6f7bb66295262766e:2 Downloading d.js...
index.bf049c93.js?52f6f7bb66295262766e:2 Loading WASM c66eb3cbd8fdc1325900.wasm
^^^^ logged before script runs
index.bf049c93.js?52f6f7bb66295262766e:2 1 dependencies left
transfer.js:1 fireAt <--- where it runs
index.bf049c93.js?52f6f7bb66295262766e:2 0 dependencies left
index.bf049c93.js?52f6f7bb66295262766e:2 Running...
index.bf049c93.js?52f6f7bb66295262766e:2
Replace run-at with run_at
Thank you wOxxOm

Get network data in chrome extension

I have a chrome extenison but i can't figure out how to access the data in the devtools network tab and send to the popup. Any suggestion?
it's basically a bug reporting chrome extension where you can take screenshots, create issue, and I need the network log (and/or console)
manifest.json
{
"manifest_version": 2,
"name": "my-chrome-extension",
"description": "Chrome Extension for report bug",
"version": "1.0",
"background": {
"scripts": [
"js/background.js"
],
"persistent": false
},
"icons": {
"16": "./icon.png",
"36": "./icon.png",
"48": "./icon.png",
"120": "./icon.png"
},
"content_scripts": [
{
"matches": [
"<all_urls>"
],
"js": [
"js/vendor.js", "js/content_script.js"
]
}
],
"web_accessible_resources": [
"inject-script.js",
"js/inject-script.js"
],
"browser_action": {
"default_popup": "popup.html",
"default_title": "PerfWatch"
},
"permissions": [
"tabs",
"activeTab",
"storage"
]
}
You cant access it directly. Only via API like webRequest via bg script.
Example:
chrome.webRequest.onBeforeRequest.addListener((details) => {
//This identifies a redirect to another page
if (details.url.indexOf("Target") && details.method === "OPTIONS/..." && details.initiator.indexOf("Source")) {
chrome.tabs.sendMessage(details.tabId, {
message: "xyz"
});
}
})
Your manifest.json must include the webRequest permission in order to access the webRequests:
{
"manifest_version": 2,
"name": "my-chrome-extension",
"description": "Chrome Extension for report bug",
"version": "1.0",
"background": {
"scripts": [
"js/background.js"
],
"persistent": false
},
"icons": {
"16": "./icon.png",
"36": "./icon.png",
"48": "./icon.png",
"120": "./icon.png"
},
"content_scripts": [
{
"matches": [
"<all_urls>"
],
"js": [
"js/vendor.js", "js/content_script.js"
]
}
],
"web_accessible_resources": [
"inject-script.js",
"js/inject-script.js"
],
"browser_action": {
"default_popup": "popup.html",
"default_title": "PerfWatch"
},
"permissions": [
"tabs",
"activeTab",
"storage",
"webRequest"
]
}
Hint:
There are additional APIs like webNavigation and webRequestBlocking if you need more funtionallity.

Manifest v3, Failed to load extension: Invalid value for 'web_accessible_resources[0]'. Invalid match pattern. Could not load manifest

Given this Manifest v3 (after making it work on v2, I've adjusted some specs to match v3), I've some issue when adding the extension into Chrome (load unpacked).
The exact error is:
Invalid value for 'web_accessible_resources[0]'. Invalid match pattern.
Could not load manifest.
Here is the manigest
{
"author": "Hugo Gresse",
"description": "",
"name": "app",
"version": "1.0.0",
"content_scripts": [
{
"js": [
"src/entries/contentScript/primary/main.js"
],
"matches": [
"https://play.google.com/*"
]
}
],
"icons": {
"16": "icons/16.png",
},
"permissions": [],
"action": {
"default_icon": {
"16": "icons/16.png",
},
"default_popup": "src/entries/popup/index.html"
},
"host_permissions": [
"*://*/*"
],
"manifest_version": 3,
"web_accessible_resources": [
{
"resources": [
"assets/src/entries/contentScript/primary/main.5ebc631d.js",
],
"matches": [
"https://play.google.com/console/*"
],
"use_dynamic_url": true
}
]
}
According to the v3 specs specifics to the web_accessible_resources here, the pattern used in matches must only be tld based:
A list of URL match patterns specifying which pages can access the resources. Only the origin is used to match URLs. Origins include subdomain matching. Paths are ignored.
It says the "paths", here in my case: console/ is ignored, but it is not as it fail to load the extension.
✅: https://play.google.com/*
❌: https://play.google.com/console/*
The correct web_accessible_resources node is a follow:
"web_accessible_resources": [
{
"resources": [
"assets/src/entries/contentScript/primary/main.5ebc631d.js",
],
"matches": [
"https://play.google.com/*"
],
"use_dynamic_url": true
}
]

Why does my manifest.json trigger a lengthly review due to Broad Host Permissions?

The chrome webstore flags my extension as having "Broad Host Permissions", but I cannot figure out what in my manifest.json is causing this result.
{
"name": "AudioEye Smart Remediation Builder",
"description": "Solve any issue of accessibility without writing code. Select elements, apply changes, and fix the web.",
"devtools_page": "src/main.html",
"version": "1.31.0",
"content_security_policy": "script-src 'self' https://myother.website.com/scripts/loader.js https://myotherother.website.com/somescript.js; object-src 'self'",
"author": "AudioEye",
"background": {
"scripts": [
"src/background.bundle.js"
]
},
"browser_action": {
"default_icon": {
"16": "icons/ae16.png",
"48": "icons/ae48.png",
"128": "icons/ae128.png"
},
"default_popup": "src/popup.html"
},
"content_scripts": [
{
"matches": [
"*://my.website.com/*"
],
"run_at": "document_end",
"all_frames": true,
"js": [
"src/installDefinition.js"
]
}
],
"externally_connectable": {
"matches": [
"*://my.website.com/*"
]
},
"icons": {
"16": "icons/ae16.png",
"48": "icons/ae48.png",
"128": "icons/ae128.png"
},
"manifest_version": 2,
"optional_permissions": [
"http://*/*",
"https://*/*",
"tabs"
],
"permissions": [
"cookies",
"webNavigation",
"activeTab",
"storage",
"contextMenus"
],
"web_accessible_resources": [
"src/inspected-window.bundle.js",
"src/smart-remediation-metadata.js"
]
}
I only use a broad match in the optional_permissions object, which gives the user explicit ability to allow/deny the permissions on each page they visit.
Why does my extension require a two week review due to broad host permissions?

Resources