Console shows error about Content Security policy and lots of failed GET requests

by

Let’s start with the easiest problem:

Refused to execute inline script because …

$('div', this) selects all <div> elements within a <td>. In the source code you provided, the following event handler can be found:

<div class="smallfont">
    <span style="cursor:pointer" onclick="window.open('member.php?u=47995', '_self')">K4raMong</span>
</div>

By the default Content Security policy, this is forbidden. To get rid off the error, just remove the attribute before inserting it in the document:

element.removeAttribute('onclick'); // in jQuery: $element.removeAttr('onclick');

Why are these images loaded? I didn’t put them in the document

Before jQuery/JavaScript can manipulate DOM, it must be parsed first. In your code, this work is implicitly done at the var TDs = $(.., data). line. This parsing is approximately equal to:

var dummy = document.createElement('div'); // Container
dummy.innerHTML = data;

Ever heard about preloading images? That is a useful feature to cache images, so that they’re ready when needed. This can be done using (new Image).src="https://stackoverflow.com/questions/12089752/...";. The created <img> element doesn’t have to be inserted in the document.

In your case, this is undesired behaviour, because these images are looked up in your extension. This is caused by the fact that your web page makes use of relative URLs, rather than absolute ones. When using relative URLs, the expected location of the resources depends on the location of the current document.

How to fix it

Do not use jQuery. Since you’re writing a Chrome extension, you do not need to worry about cross-browser compatibility. jQuery uses the innerHTML trick to parse HTML, which failed, as I’ve previously shown.

JavaScript has the DOMParser object, which can be used as follows since Chrome 30:

var doc = (new DOMParser).parseFromString(data, 'text/html');

You can skip the manual conversion from string to document using the responseType property, as shown below.

Arriving at the solution

As you already know, cross-site requests are possible in Chrome extensions, provided that the URL is correctly added to the permissions section in the manifest file. We’re going to use a feature introduced in XMLHttpRequest level 2, namely the responseType attribute.

// Fetching data
var xhr = new XMLHttpRequest();
xhr.open('GET', 'http://gaming.ngi.it/subscription.php?do=viewsubscription');
xhr.onload = function() {
    var doc = xhr.response;
    // Now, you can use jQuery, since the string has been parsed.
    ...
};
xhr.responseType="document"; // Chrome 18+
xhr.send();

You can easily rewrite your code to use native DOM and JavaScript instead of jQuery. Most use jQuery for the selector engine, but most often, it can also be implemented using element.querySelectorAll. After getting the document using var doc = xhr.response;, do the following:

var TDs = doc.querySelectorAll('td[id*="td_threadtitle_"]');
var html="";
[].forEach.call(TDs, function(td) {
    // etc, etc. Do your job
});

Do you see var html="";? That’s good practice, regardless of whether you’re using jQuery or not. Never do element.innerHTML += ...; or even worse $element.html($element.html() + ...); in a loop. The browser will have a hard time with rendering it over and over again, and you -as a user- notice performance degradation.

More Related Contents:

  1. The Chrome extension popup is not working, click events are not handled
  2. Content-Security-Policy error in google chrome extension making
  3. Javascript: Let user select an HTML element like Firebug?
  4. How to fix chrome-extension inline JavaScript invocation error?
  5. Can a website block a Chrome Extension? [duplicate]
  6. Use a content script to access the page context variables and functions
  7. Chrome Extension Message passing: response not sent
  8. “Cannot read property of undefined” when using chrome.tabs or other chrome API in content script
  9. How to detect page navigation on YouTube and modify its appearance seamlessly?
  10. Violation Long running JavaScript task took xx ms
  11. Chrome Extension how to send data from content script to popup.html
  12. Injecting JS functions into the page from a Greasemonkey script on Chrome
  13. Chrome extension adding external javascript to current page’s html
  14. How to retrieve the element where a contextmenu has been executed
  15. Chrome extension: How to remove orphaned script after chrom extension update
  16. Check if user has a third party Chrome extension installed
  17. Loading external javascript in google chrome extension
  18. How to keep Google Chrome Extension popup open?
  19. Chrome extension: Inject JS before page load
  20. How to give a Blob uploaded as FormData a file name?
  21. How to properly handle chrome extension updates from content scripts
  22. chrome.storage.local.get and set [duplicate]
  23. How to detect the installed Chrome version?
  24. Access variables and functions defined in page context using a content script
  25. Why is document.execCommand(“paste”) not working in Google Chrome?
  26. Cross-Origin XMLHttpRequest in chrome extensions
  27. Getting selected text in a Chrome extension
  28. tabs.executeScript – passing parameters and using libraries?
  29. Pass a variable from content script to popup
  30. Store an array with chrome.storage.local

Leave a Comment