1

I'm building a Chrome extension that will let you add a bunch of new reactions to Facebook posts. You can see the first version of it here: http://reactions.us/

The way I'm handling it now is a bit inelegant. When a user adds a "reaction", I'm adding a custom emoticon as a comment and then parsing it, removing the original comment from the dom, and adding the corresponding "reaction" to the post.

Here's what I would like to do

I would like to reach out to an external api, say at http://api.reactions.us, in order to set and get the reactions for a certain story. In order to do this I (think) I need to add an ajax call to the page. But when I add the ajax call to a "web_accessible_resources" script that's loaded onto the page via an init script in "content_scripts" I get this error:

Refused to connect to 'http://reactions.us/getReactions?id=111' because it violates the following Content Security Policy directive: "connect-src https://*.facebook.com http://*.facebook.com https://*.fbcdn.net http://*.fbcdn.net *.facebook.net *.spotilocal.com:* https://*.akamaihd.net ws://*.facebook.com:* http://*.akamaihd.net https://fb.scanandcleanlocal.com:* *.atlassolutions.com http://attachment.fbsbx.com https://attachment.fbsbx.com".

Here's the relevant code in the plugin: https://github.com/ollerac/New-Facebook-Reactions/blob/master/reactions.js#L161

Any help would be greatly appreciated. Perhaps there's a way to pass messages between the content scripts and the web accessible resources?

wings
  • 591
  • 5
  • 12

1 Answers1

3

I found the answer. I had followed the advice of this post when I first started: Insert code into the page context using a content script

It suggests injecting your scripts directly into the page if you don't need access to any of the chrome API functions and that's exactly what I did because I didn't need them before.

But you can do pretty much the same thing (access and modify the dom -- and now even make ajax requests) merely with content scripts.

This post is helpful when talking about Cross-domain XMLHttpRequest using content scripts: Cross-domain XMLHttpRequest using background pages

Community
  • 1
  • 1
wings
  • 591
  • 5
  • 12
  • The only reason to inject a script is if you need access to JavaScript objects in the page's context. If you don't need this capability, then you should just use content scripts. Even if you need to inject in the page, then you can still set up a message channel (either via `window.postMessage`, or via `MessageChannel` object) to communicate between the content script and the page. – Rob W Jun 28 '14 at 08:33