0

I have developped a chrome web extension, where I inject a .js in a website to automate some task. And it works well. But, whenever I put that tab in the background, it doesn't ! (It lags/skip setTimeout())

So, after a bit of googling, I heard it was 'normal and intended behavior' and peoples suggested to use Web Workers. But now, when I try and inject a webworker, the site tells me it's impossible because of CSP directives

here is a sample code :

injecter.js (that works out fine)

if(nbrTabs > 0){

    chrome.tabs.executeScript(tabs[0].id, {file: "worker.js"}); 
    chrome.tabs.executeScript(tabs[0].id, {file: "utilities.js"});      
            
    DisableStart();
    EnableStop();
    save();
}

worker.js


function main(){                            
    
    setTimeout(function(){
        console.log("Do the things ...");
        buttonOnThePage.click();
    }, 1000);

    return null;
}

onmessage = function(e){
    console.log("Worker Start\n");
    main();
    postMessage("Worker End");
}

utilities.js

var worker = new Worker("./worker.js");

worker.onmessage = function(e) {
    worker.terminate();
};

worker.postMessage('Start');

When using those, I get an error in the console saying

GET https://www.example.com/bar/utilities.js 404

So, I guess it doesn't work. So, I tried a second thing, where I have my worker AND my main 'thread' on the same file resulting in :

utilities.js

var string = `
function main(){                            
    
    setTimeout(function(){

        console.log("Do the things ...");
        buttonOnThePage.click();

    }, 1000);

    return null;
}

onmessage = function(e){
    console.log("Worker Start\n");
    main();
    postMessage("Worker End");
}`;

var blob = new Blob([string], {type: 'application/javascript'});
var worker = new Worker(URL.createObjectURL(blob));

worker.onmessage = function(e) {
    worker.terminate();
};

worker.postMessage('Start');

But now, I have an error telling me "Failed to construct 'Worker': Access to the script at 'blob:https://www.example.com/some-rando-strings' is denied by the document's Content Security Policy."

Spiron
  • 1
  • 1
  • I have to say I am surprised Web Extensions are also subject to CSP -- see, for a regular script to attempt to do what you're doing, I'd expect CSP to rightfully prevent loading of code without an origin -- what you're essentially doing with your blob of code. But I also have learned that Web Extensions in Chrome at least _are_ actually subject to CSP: https://developer.chrome.com/docs/extensions/mv3/sandboxingEval/. You probably need to modify the one applying to your extension, as described in the article (modifying the manifest). – Armen Michaeli Oct 01 '21 at 16:15
  • I just read it and yes. But -if I understood correctly- they are talking about using sandbox on the .html of the extension. (Which is NOT what I'm aiming to do) I'm aiming to inject a .js in a website which I do now own and run a worker on the tab running the website. – Spiron Oct 01 '21 at 16:28
  • Is it unavoidable ? Should I use firefox, and port the code here ? I heard it may resolve my issue? Though, I don't want to commit to that without being 99.9% sure that it would work ! – Spiron Oct 01 '21 at 16:44
  • Add an iframe with an extension page inside, [example](https://stackoverflow.com/a/25100953). It and its contents will be exempted from site's CSP so you'll run the workers there or just run the code directly since Chrome wouldn't throttle extension context probably. To communicate with the page you can use chrome.runtime messaging. – wOxxOm Oct 01 '21 at 18:01
  • I see, but the thing is I need the worker to use the click method on the site where it's supposed to be injected. Running them in another .html would prevent that as far as I know. I don't really need any data from the page (besides the elements to click on) – Spiron Oct 01 '21 at 20:16
  • Workers can't access DOM anyway. – wOxxOm Oct 02 '21 at 11:33

0 Answers0