Question: Can anyone explain that what is the use of "match_about_blank" in chrome extension's manifest file?

Question

Can anyone explain that what is the use of "match_about_blank" in chrome extension's manifest file?

Answers 1
Added at 2016-12-31 15:12
Tags
Question

I am new to chrome extensions but failed to know about the use of "match_about_blank" property in manifest file. Can anyone explain in easy words ?

Answers to

Can anyone explain that what is the use of "match_about_blank" in chrome extension's manifest file?

nr: #1 dodano: 2016-12-31 17:12

Let me start by quoting the documentation of "match_about_blank":

Whether to insert the content script on about:blank and about:srcdoc. Content scripts will only be injected on pages when their inherit URL is matched by one of the declared patterns in the matches field. The inherit URL is the URL of the document that created the frame or window. Content scripts cannot be inserted in sandboxed frames.

To fully understand this, some concepts are necessary:

  • The same-origin policy is a fundamental security feature of browsers that enforces that web pages can only run scripts in other frames or windows if the documents are served from the same origin.

  • Often, the "origin" of a page can be determined by looking at the URL. There are some exceptions where that is not possible, including "about:blank", "about:srcdoc" and sandboxed frames.

    • "about:blank" is a blank page. When you create an empty frame (e.g.<iframe>) or open a new window (window.open()), the URL is "about:blank". To allow the opener to run scripts in this page, the blank page has the same origin as the page/frame that opened the window/frame.

    • "about:srcdoc" is the URL of a frame whose content is set via the srcdoc attribute of an iframe, and inherits the origin of the parent window, similar to "about:blank" frames.

    • Sometimes a frame has an origin that is distinct from any other origin, and as a result no other page can run scripts in that frame. There are two ways to reach this condition: 1) when the user navigates to "about:blank" via the location bar. 2) When the page is affected by a sandbox without the "allow-same-origin" directive (either via the Content-Security-Policy HTTP header or via the sandbox attribute of an iframe).
  • Chrome extensions cannot run scripts in other websites, unless they explicitly request permission for that website, either by declaring host permissions in the "permissions" section of manifest.json, or by listing a site in the "matches" section of a content script.

Content scripts are run in pages (and frames) when their URL is matched by the "matches" key in manifest.json. In the past, it was not possible to directly run scripts in blank frames, because "about:blank" cannot be matched by a match pattern. Users (including developers of ad blockers) requested the ability to run scripts in blank frames (see issue 76429: Content scripts do not inject into frames with no src because their url is "about:blank").

I suggest to read from comment 35 onwards if you are interested in the full history behind the development of the "match_about_blank" key. In short, the "about:blank" match pattern in itself is quite useless since it would match lots of frames from all origins. Hence the ability to run scripts was implemented by introducing a match_about_blank key (instead of supporting an "about:blank" match pattern).

So you should only use "match_about_blank":true if you want to run scripts in blank frames. Most extensions should also set "all_frames": true (otherwise the script only runs in blank top-level frames, and not child frames). So, to run scripts in example.com and all blank frames/windows opened from it, use the following in manifest.json:

...
"content_scripts": [{
    "js": ["contentscript.js"],
    "matches": ["*://*.example.com/*"],
    "all_frames": true,
    "match_about_blank": true
}]
...

Here are some examples to show the effect of the above content script declaration.

This page is at https://example.com/index.html
<!-- Content script will run here -->

<!-- This frame is about:blank, at the same origin as https://example.com -->
<iframe></iframe> <!-- Content script runs in the frame too -->

<!-- This frame is about:srcdoc, at the same origin as https://example.com -->
<iframe srcdoc="test"></iframe> <!-- Content script runs in the frame too -->

<!-- This frame is about:blank, but with a unique origin -->
<iframe sandbox=""></iframe> <!-- No content script -->

<!-- This frame is about:blank, at the same origin as https://example.com -->
<iframe sandbox="allow-same-origin"></iframe>
<!-- Content script runs in the above frame too -->

Note: If the opener itself is also a blank frame, then the opener of the opener is used, until either an non-blank opener is found. If there is no such opener, or if the opener does not match the "matches" pattern, then the content script does not run.


Similarly, content scripts that are dynamically inserted using chrome.tabs.executeScript are only run in blank frames if matchAboutBlank is true and the extension has the permission to run scripts in the (nearest non-blank) opener of that frame or tab.

Source Show
◀ Wstecz