Closed jonathanmayer closed 10 years ago
I have just been talking to Cooper about this further. It seems like our dirty hacks are going to suck a lot (for instance, they will require us to perform a cookie clear at install time).
The best "correct" solution is to do your injection into all frames, with the current list of yellow domains targetted and the current first party origin removed. That should hopefully be more like a ~50 entry object injected into each frame, rather than a ~500 entry object.
Ended up doing this with a fake cookie store and the cookies api. It all seems to be working.
The chrome.tabs.executeScript API is very limited. We can only inject a script into either the top-level frame or all frames. That's a problem, since we want the cookie / local storage clobbering script to only run in certain frames.
A hacky solution would be to inject the script into all frames, with a dynamically generated part of the script testing for whether the current frame is third party and, if so, whether it's whitelisted. Blech.