'Is it possible to inject a custom authentication library into a chrome extension background script?
I'm in the process of building a chrome extension that needs to leverage my companies internal SSO system. I'm using a background script because I need to make a CORS call to a service that can return an auth token. I've developed a library that can handle this for me but based on what I have read there is no way to inject it into a background script. I could relax the Content Policy to allow for it but the documentation states that they strongly recommend not doing this because of XSS vulnerabilities. My question is: Is there a way to inject my library into the background script without altering the content policy?
//manifest.json
{
"name": "Learning",
"version": "1.0",
"description": "Chrome extension to enable xAPI",
"background": {
"scripts": ["tx.js", "tx-auth.js", "main.js"],
"persistent": true
},
"permissions": [
"activeTab",
"tabs"
],
"content_scripts": [
{
"run_at": "document_end",
"matches": ["http://*/*", "https://*/*"],
"js": ["interactionProfile.js", "tx.js", "all.js"]
},
{
"run_at": "document_end",
"matches": ["*://*.youtube.com/*"],
"js": ["interactionProfile.js", "tx.js", "youtube.js"]
}
],
"browser_action": {
"default_popup": "main.html"
},
"manifest_version": 2
}
// all.js
console.log('all')
const iframe = document.createElement('iframe');
iframe.setAttribute('src', "http:****/identification");
iframe.style.display = "none";
document.body.appendChild(iframe);
chrome.runtime.sendMessage({contentScriptQuery: '', create: tx.default.create}, (tx) => {
console.log(tx)
})
chrome.runtime.onMessage.addListener(
function(request, sender, sendResponse) {
request.create({
endpoint: '*****',
username: '*****',
password: '*****',
allowfail: false,
env: "sandbox",
xapiEndpoint: '******'
}).then((tx) => sendResponse(tx));
return true;
});
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|