Route webdriver-probe fallback through chrome.scripting.executeScript#132
Merged
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
The inline-<script> fallback in webdriver-probe-annotate's apply() was blocked on strict script-src origins, so the active tab got no probe until the next navigation. Replace it with a content→background message that runs installProbe via chrome.scripting.executeScript with world: "MAIN" — same primitive as the primary registration, just on-demand and CSP-exempt. Per #131's follow-up comment, the request fires unconditionally on every apply() (not just when CSP would block); the probe's own __abs_webdriver_probe_installed flag handles dedupe, and targeting sender.frameId avoids re-invoking subframes the registered probe already reached. Background-side executeScript rejections (chrome://, Web Store, etc.) are swallowed to match the registration's silent skip on those origins. Closes #131 Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>
chrome.scripting.executeScript requires host_permissions for the target origin even when world: "MAIN" — unlike registerContentScripts, which honors the content_scripts.matches model. With only api.openai.com declared, the #131 fallback rejected on every other host with "Cannot access contents of the page." The extension already declares content_scripts.matches: ["<all_urls>"], so the install-time warning is unchanged; this just unblocks the programmatic injection path the executeScript fallback needs. The existing api.openai.com entry was redundant under <all_urls>. Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>
a44a81f to
2277998
Compare
Manifest permission diffThe extension's MV3 permission surface changed in this PR. Reviewer: confirm each addition is intentional and necessary. host_permissions
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
<script>fallback inwebdriver-probe-annotate'sapply()was blocked on strictscript-srcorigins, so the active tab got no probe until the next navigation. The fallback now sends aninject-webdriver-probemessage to the background worker, which runsinstallProbeviachrome.scripting.executeScriptwithworld: "MAIN"— same primitive as the primaryregisterContentScriptspath, just on-demand and CSP-exempt.apply()(not just when CSP would block); the probe's own__abs_webdriver_probe_installedflag handles dedupe. The background-side handler targetssender.frameIdso subframes the registered probe already reached aren't re-invoked, and swallowsexecuteScriptrejections on restricted URLs (chrome://, Web Store, etc.) to match the registration's silent skip.Closes #131
Test plan
bun run typecheckbun run test(1002 passing)bun run check(biome + eslint clean)bun run build—background.jspurity check still passes after pullinginstallProbefromlib/webdriver-probe-sourceinto the worker bundle (no rule-file leak)webdriver-probe-annotateon athttps://shield-dark-pattern-demo.vercel.app/(strict-CSP repro from the issue), confirm no CSP console violation and that anavigator.webdriverread still stamps the landmark on the current tabchrome://extensions) don't surface unhandled rejections in the background console🤖 Generated with Claude Code