chrome.scripting.executeScript allFrames doesn't resolve on CSP-restrictive pages. #715

tomasdev · 2022-05-18T03:44:50Z

Describe the bug
chrome.scripting.executeScript callback is never called (if using promises, the promise never resolves) when the page in which it's executed contains iframe with certain CSP headers that seem restrictive / safer.

To Reproduce

// background.js
chrome.action.onClicked.addListener((tab) => {
  console.log('click');

  chrome.scripting.executeScript(
  {
    target: {
      tabId: tab.id,
      allFrames: true,
    },
    'func': function() {
      return document.activeElement;
    },
    'args': [],
  },
  (...args) => {console.log('callback', args)});
});

// manifest.json
{
    "name": "Test executeScript",
    "description": "",
    "version": "0.0.1",
    "manifest_version": 3,
    "permissions": [
        "scripting"
    ],
    "background": {
        "service_worker": "bg.js"
    },
    "action": {},
    "minimum_chrome_version": "93.0.0.0",
}

And then click the extension icon on a site like https://developer.mozilla.org/en-US/docs/Web/HTML/Element/input

Expected behavior
The Promise should throw or the callback should be called.

** Notes**
I'm suspicious of Content Security Policy but I did not try using Charles (or similar proxy) to override header by header to know which one is messing up the extension. This may even be a bug using MV2, Chrome Input Tools also doesn't work on the Mozilla site.

The text was updated successfully, but these errors were encountered:

tomasdev · 2022-05-22T18:56:07Z

I added host_permissions *://*/* and the same behavior happens. Do you have a repo or gist with an extension working like this? Or does specifying specifically mozilla's domain work different than the wildcard?

…

On Sun, May 22, 2022, 12:39 PM guest271314 ***@***.***> wrote: Observe the error in ServiceWorker context Unchecked runtime.lastError: Cannot access contents of the page. Extension manifest must request permission to access the respective host. Add to manifest.json "host_permissions": ["https://developer.mozilla.org/"] Since DOM element is not observable in ServiceWorker context, adjust func and callback to chrome.scripting.executeScript( { target: { tabId: tab.id, allFrames: true, }, 'func': function() { return document.activeElement.tagName; }, 'args': [], }, (args) => {console.log('callback', args[0].result)}); — Reply to this email directly, view it on GitHub <#715 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AACY4ANWIZZE3GHQ6KCSFYTVLJPLFANCNFSM5WG62C6A> . You are receiving this because you authored the thread.Message ID: ***@***.***>

tomasdev · 2022-05-22T19:43:26Z

I am building a keyboard (IME is only available on Chrome OS) so I need it to work on any inputable on any site. I know inputable can be set to context menu, but for accessibility I need to support at least two ways of opening the extension (shortcut or clicking the action) I will try your example out. Thanks!!!

…

On Sun, May 22, 2022, 3:35 PM guest271314 ***@***.***> wrote: I added host_permissions *://*/* "host_permissions": ["*://*/"] achieves the expected result. — Reply to this email directly, view it on GitHub <#715 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AACY4AOZQTCSVPEF3XIXIUDVLKEBHANCNFSM5WG62C6A> . You are receiving this because you authored the thread.Message ID: ***@***.***>

tomasdev · 2022-05-23T16:48:56Z

@guest271314 I tested your zip, the "callback" log is never logged. I'm on Chrome version 101.0.4951.64... so I'm guessing it was fixed at some point between 101 and 104. I'll keep this bug open until 104 is stable

tomasdev · 2022-05-23T22:55:36Z

Yes, on the service worker context, the "click" is logged (before executeScript) and the callback line is never reached.

…

On Mon, May 23, 2022 at 6:14 PM guest271314 ***@***.***> wrote: the "callback" log is never logged. How do you know the callback is not fired? Are you checking for the callback to be fired in ServiceWorker context? The callback does not propagate to the target Web page. — Reply to this email directly, view it on GitHub <#715 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AACY4APMFX573AKQPIIFVLLVLP7LFANCNFSM5WG62C6A> . You are receiving this because you authored the thread.Message ID: ***@***.***>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chrome.scripting.executeScript allFrames doesn't resolve on CSP-restrictive pages. #715

chrome.scripting.executeScript allFrames doesn't resolve on CSP-restrictive pages. #715

tomasdev commented May 18, 2022

This comment was marked as off-topic.

tomasdev commented May 22, 2022 via email

This comment was marked as off-topic.

This comment was marked as off-topic.

This comment was marked as off-topic.

tomasdev commented May 22, 2022 via email

tomasdev commented May 23, 2022

This comment was marked as off-topic.

This comment was marked as off-topic.

tomasdev commented May 23, 2022 via email

This comment was marked as off-topic.

chrome.scripting.executeScript allFrames doesn't resolve on CSP-restrictive pages. #715

chrome.scripting.executeScript allFrames doesn't resolve on CSP-restrictive pages. #715

Comments

tomasdev commented May 18, 2022

This comment was marked as off-topic.

tomasdev commented May 22, 2022 via email

This comment was marked as off-topic.

This comment was marked as off-topic.

This comment was marked as off-topic.

tomasdev commented May 22, 2022 via email

tomasdev commented May 23, 2022

This comment was marked as off-topic.

This comment was marked as off-topic.

tomasdev commented May 23, 2022 via email

This comment was marked as off-topic.