Skip to main content

Chrome Extension (part 1): Injecting External Scripts into a Web Page

Recently, I was required to develop a chrome extension for some executives. This plugin only targeted a few of our most visited websites. There was a lot of approaches to implement the extension and all our use cases.
One particular challenge was trying to inject scripts from our own CDN into specific web pages. the scripts were required to interact with the page and all variables possible. Since there is a script isolation thing for Chrome Extensions, I felt this was a good challenge to take up in my spare time.

Here is a sample of my content script.

content.js
document.onreadystatechange = function () {
console.log("document state is:" + document.readyState);
if (document.readyState == "complete") {
let randAntiCache = Math.random().toString().split('.')[1];

let scriptURL4="http://localhost.test/testscript.js?v="+randAntiCache;
let scriptnode4 = document.createElement("script");
scriptnode4.setAttribute("src", scriptURL4);
document.body.appendChild(scriptnode4);
}

}

Even though I had a background script to remove the response Headers I still got the error below.
 After reading so many articles I conclude that this could not be achieved without running chrome from the command line, the good thing about running chrome from the command line is that it allows you to specify that chrome should disable certain security features during startup. So I employed the flags below.

 --allow-running-insecure-content --disable-web-security --disable-gpu --user-data-dir=%LOCALAPPDATA%\Chromium\Temp

In order to make this flag seem like a semi-permanent fix. I created a chrome shortcut on my desktop. right-click on the shortcut and click 'Properties'. and I pasted the long line below into the target field.
C:\Users\XXX\AppData\Local\Chromium\Application\chrome.exe --allow-running-insecure-content --disable-web-security --disable-gpu --user-data-dir=%LOCALAPPDATA%\Chromium\Temp

The path to the chrome application is
C:\Users\XXX\AppData\Local\Chromium\Application\chrome.exe
This path may be different in your case but it will be generated automatically for you when you create a shortcut. you can also obtain it by viewing any chrome shortcut created by your computer during installation.

I double-clicked the newly modified shortcut to start chrome, then I reload the extension and reload the web page. As you can see below, we now have a warning and not the usual error observed moments ago, the script gets loaded as expected and also it is executed within the page.


there are still some other issues encountered that will eventually be solved. For example; the recommended architecture supports that only one script should be injected by the extension's content script. This script is called the father-script(composer.js). the father-script is required to detect the page URL and then append other scripts(e.g theme.js) to the page's body tag, or somehow inject more scripts into the context of the page.

whilst it was easy to inject the father script(composer.js) into the webpage using an extension, the father script could not inject other scripts(theme.js) into the page. the father script was only successful when the webpage had loose content-policy headers defined. the below is a typical scenario where content-policy headers were properly defined.

* composer was injected successfully by the extension, but composer could not inject theme.js


This experimentation shows that it is quite easy to inject scripts into a webpage as an extension developer. But there is enough security to make sure that injected scripts can not inject other scripts.
As you might observe the error obtained is not about mixed content but content security error. if this host never declared the content security or defined it as a wild card, then the second-order injection would have worked.


there are suggestions that the extension should inject the other scripts just as the first was loaded. it is all about flexibility. currently, I am exploring the onHeadersReceived event of the chrome extension for this. the official docs said you can only modify the content policy headers if you specify extra-headers as an option. It also advised that this is a resource-intensive approach. but for me, it is worth trying just for experimentation.

Let me know in the comments how you are handling these situations in your dev ops.
feel free to ask for more clarity in the comment, I might just provide a GitHub link if required.
Labels:

Comments

Post a Comment

Popular Articles

Laragon: installing more versions of Apache/HTTPD

Most of the time, we casually install various PHP versions and server tools without checking if they were built for Win32 or Win64. A discussion for another day. I recently downgraded Laragon’s from PHP8.1-x64 to PHP7.x-x86. This had a little consequence - APACHE! Hence, I got the error below, indicating that my PHP and Apache can’t work together because they are of different architectures or builds.   The originally installed Apache was for 64-bit PHP versions, there are no Apache versions designed to run both 32-bit and 64-bit builds of PHP. In this article, I share steps and links that guide you to install multiple versions and builds of Apache on Laragon. 1. For all intent and purposes, you are advised to always download the latest version of Apache. Visit this URL https://www.apachelounge.com/download/additional/ to see the different versions available. It is easy to access the 64-bit versions from the homepage. However, to access the 32-bit versions, you need to use this URL. 2
Post a Comment
Read more

Resolving Incompatible Builds of PHP and Apache in Laragon: Add multiple versions of Apache

 As developers, it's often the case that different versions of PHP and server tools are installed quickly without taking into account the architecture for which they were built. In this article, we will focus on solving a specific error that arises when running incompatible builds of PHP and Apache. Recently, I encountered an issue when downgrading my Laragon setup from PHP 8.1 (x64) to PHP 7.x (x86). This caused compatibility problems with Apache, and I received an error message indicating that my PHP and Apache builds were not compatible, as the Apache installed was built for x64 versions of PHP. In this article, I'll provide a step-by-step guide on how to install multiple versions of Apache on Laragon. By following these steps, you can resolve any similar issues that you may encounter. Step 1: Download the Latest Version of Apache Visit https://www.apachelounge.com/download/additional/ to download the latest version of Apache. The homepage provides quick access to 64-bit ve
Post a Comment
Read more

VS CODE: Unable to install extensions on Ubuntu/Linux

Hey, its one of those days, i just wished i could code away the night. i decided that tonight, it was going to be VS Code all through. I closed Sublime text. It was not long before I started missing the php code linting and ever intelligent code completions that were built into sublime text. I checked the suggestions on the Extensions Tab of VS Code. and there it was! Felix Becker's "PHP IntelliSense" package. To my cute surprise, Upon clicking, the extension's description and Installation "Read Me" could not display correctly, 'twas as good as blank. All i could see was this: I thought, this is something light, so i started searching but then it was not better explained except for the GitHub issue which I found to be useful, Link is at the bottom of this page.  I hate to discover it was a DNS issue. How to detect the Issue Simply visit the URL below, if you are able to view the image on the page, then you are not affected by this issue. DNS Test URL: ht
Post a Comment
Read more