0

What am I building is simple chrome extension which adds my script to all pages user visit like this

in contentscript.js:

var s = document.createElement('script');
s.src = 'https://localhost:3000/js/hack.js';
s.onload = function() {
    this.parentNode.removeChild(this);
};
(document.head||document.documentElement).appendChild(s);

on rails-backend there is simple login-password and omniauth(oauth) authorization via devise gem.

If I authorize on rails pages and later in hack.js I try to make some ajax calls to my local server via XMLHttpRequest - it tries its best to assure me that user is not authorized.

I bet it can be solved via opening invisible iframe somewhere, but that's hellova pain, may be there are some more handy methods?

scythargon
  • 3,363
  • 3
  • 32
  • 62
  • Why do you need to host that script as opposed to bundling it with the extension? – Xan Feb 08 '15 at 11:22
  • @Xan that's a common way to do that because scripts that you ship with your extensions are executed in a special namespace, not actually on the page – scythargon Feb 08 '15 at 14:13
  • Wrong: if you inject you script using a ` – Xan Feb 08 '15 at 14:14
  • @Xan that's exactly what I do. and shipping my script from external server allows me to update it easily – scythargon Feb 08 '15 at 14:20

1 Answers1

1

To do an authorized request, you probably have to get your script in an XHR, where you can add various auth headers. Then the script can be injected as inline code instead of supplying an src.

Do note that content scripts can do cross-domain XHR for all sites that have host permissions in the manifest, even if the page is not allowed to do it.

Since the page's Content Security Policy can potentially forbid injection of a script with your URL in the src, but injecting it as inline script sort of bypasses CSP, it's a superior method anyway.

Community
  • 1
  • 1
Xan
  • 74,770
  • 16
  • 179
  • 206
  • any examples of "to get your script in an XHR, where you can add various auth headers" ? – scythargon Feb 08 '15 at 14:50
  • Which part? Specific auth scheme? Basic is [something like that](http://stackoverflow.com/a/12852667/934239), OAuth - I think the various keys are just encoded in request parameters. – Xan Feb 08 '15 at 14:57