How to properly handle chrome extension updates from content scripts

by

Once Chrome extension update happens, the “orphaned” content script is cut off from the extension completely. The only way it can still communicate is through shared DOM. If you’re talking about really sensitive data, this is not secure from the page. More on that later.

First off, you can delay an update. In your background script, add a handler for the chrome.runtime.onUpdateAvailable event. As long as the listener is there, you have a chance to do cleanup.

// Background script
chrome.runtime.onUpdateAvailable.addListener(function(details) {
  // Do your work, call the callback when done
  syncRemainingData(function() {
    chrome.runtime.reload();
  });
});

Second, suppose the worst happens and you are cut off. You can still communicate using DOM events:

// Content script
// Get ready for data
window.addEventListener("SendRemainingData", function(evt) {
  processData(evt.detail);
}, false);

// Request data
var event = new CustomEvent("RequestRemainingData");
window.dispatchEvent(event);

// Be ready to send data if asked later
window.addEventListener("RequestRemainingData", function(evt) {
  var event = new CustomEvent("SendRemainingData", {detail: data});
  window.dispatchEvent(event);
}, false);

However, this communication channel is potentially eavesdropped on by the host page. And, as said previously, that eavesdropping is not something you can bypass.

Yet, you can have some out-of-band pre-shared data. Suppose that you generate a random key on first install and keep it in chrome.storage – this is not accessible by web pages by any means. Of course, once orphaned you can’t read it, but you can at the moment of injection.

var PSK;
chrome.storage.local.get("preSharedKey", function(data) {
  PSK = data.preSharedKey;

  // ...

  window.addEventListener("SendRemainingData", function(evt) {
    processData(decrypt(evt.detail, PSK));
  }, false);

  // ...

  window.addEventListener("RequestRemainingData", function(evt) {
    var event = new CustomEvent("SendRemainingData", {detail: encrypt(data, PSK)});
    window.dispatchEvent(event);
  }, false);
});

This is of course proof-of-concept code. I doubt that you will need more than an onUpdateAvailable listener.

More Related Contents:

  1. How can I get the current Crome URL?
  2. Use a content script to access the page context variables and functions
  3. Chrome Extension Message passing: response not sent
  4. “Cannot read property of undefined” when using chrome.tabs or other chrome API in content script
  5. How to detect page navigation on YouTube and modify its appearance seamlessly?
  6. Chrome Extension how to send data from content script to popup.html
  7. Injecting JS functions into the page from a Greasemonkey script on Chrome
  8. Chrome extension: How to remove orphaned script after chrom extension update
  9. Check if user has a third party Chrome extension installed
  10. Loading external javascript in google chrome extension
  11. How to keep Google Chrome Extension popup open?
  12. Inspecting WebSocket frames in an undetectable way
  13. Getting unique ClientID from chrome extension?
  14. Does extension messaging like chrome.runtime.sendMessage internally use JSON.stringify?
  15. chrome.storage.local.get and set [duplicate]
  16. How to detect the installed Chrome version?
  17. Access variables and functions defined in page context using a content script
  18. Why is document.execCommand(“paste”) not working in Google Chrome?
  19. Cross-Origin XMLHttpRequest in chrome extensions
  20. How to get errors stack trace in Chrome extension content script?
  21. Getting selected text in a Chrome extension
  22. tabs.executeScript – passing parameters and using libraries?
  23. Pass a variable from content script to popup
  24. Store an array with chrome.storage.local
  25. How to develop Chrome extension for Gmail?
  26. Chrome content scripts aren’t working: DOMContentLoaded listener does not execute
  27. Chrome extension: Checking if content script has been injected or not
  28. How to to initialize keyboard event with given char/keycode in a Chrome extension?
  29. Cross-domain XMLHttpRequest using background pages
  30. Link to chrome:// url from a webpage

Leave a Comment