jmercouris
commented
2 years ago Hello Blair, thank you for this pull request :-)
I have just a few questions! I am very interested in your thoughts!
Closed blairmunroakusa closed 2 years ago
jmercouris
commented
2 years ago Hello Blair, thank you for this pull request :-)
I have just a few questions! I am very interested in your thoughts!
blairmunroakusa
commented
2 years ago Final commit in place. Ready for merge.
Learnings from this PR:
_Only background and popup scripts have access to chrome API. Content scripts have access to page content. Content scripts also have access to chrome API methods relating to communication with the background/popups and a few other utilities. Any tab manipulation, script execution, actions, +much else, must be done in the background/popup scripts. For a background script to execute a script on a webpage in a tab, it must have activeTab permission for that tab, or permission hard-coded into the host_permissions field in the manifest. Unfortunately, the only was to get activeTab permission is for a user-driven action to take place in the browser (like a click event). It appears to be impossible to automatically grant a page activeTab permission (though there may be a hack, who knows). This means that the only way to present a banner via css injection and script execution is to resort to the <all_urls> (*://*/*) option for host permissions in the manifest._
But like you said, this is dangerous in the event that somebody compromises our extension (which I don't know how this would work, but it sounds bad.) I don't like it.
I believe the iframe approach is the only was to circumvent this.
This PR includes the following changes: . add red banner warning with logo, text, and closeout button . closeout button reads I TRUST THIS SITE, as specified by issue 10 . inject banner with new message command from background script . banner.js script to construct the banner and behavior . banner.css sheet to style banner . dashed red line around screen is removed . alert is removed