New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add a way to prevent injecting extension content_scripts
to certain webContents
#23616
Comments
Exposing APIs for filtering things like certain features of chrome extensions from accessing specific webContents is a non-trivial quantity of work especially given the surface area of all the chrome extension APIs that could in theory touch a specific renderer / webContents. My suggestion would be to put webContents you don't want to receive the content scripts in a different session. The purpose of us using the upstream implementation of chrome extensions was to reduce the amount of patching and hackery we had around making this work, adding these events would add a large amount of complexity IMO |
@MarshallOfSound I wonder if making a different session just for a BrowserWindow uses more resources... |
It might end using slightly more disk as the cache for sessions is separate, but their shouldn't be any runtime penalty |
@MarshallOfSound I think it should be reopened. There's an another problem. What if I wanted to prevent content scripts from injecting to i.e URLs starting with wexond:// the same as Chrome does? Chrome extensions are not privileged to inject content_scripts to WebUI context. The same situation with my browser, I don't want to allow injecting content scripts to wexond:// pages. |
I think it makes sense to be able to disable loading extensions on certain custom protocols. I'm unsure about doing it on a domain basis or on an individual webcontents basis, but that could plausibly make sense too (how does that interact with the domains that extensions request access to in their manifest files?) |
I think setting it for certain protocols would be sufficient, TBH. Maybe even a new option inside registerSchemesAsPrivileged? |
Seems like as of electron 9.0.5, the extension's content scripts are only running on I'm testing it with my web-palette extension which should be matching |
I'm closing this issue in favor of #26812 |
Preflight Checklist
Ref #19447
Problem Description
Currently, extensions
content_scripts
are being injected into allwebContents
in a given session. There's no way to exclude certainwebContents
from injectingcontent_scripts
.Proposed Solution
session
or a parameter insession.loadExtension
which accepts an array ofwebContents
excluded fromcontent_scripts
injection, orsession
likebefore-content-scripts
which passeswebContents
ande.preventDefault()
would cancel the injection.Alternatives Considered
None.
The text was updated successfully, but these errors were encountered: