11. Chrome Extensions
• Installable, App-like, JS+CSS+HTML
• Look-over-your-shoulder; and
• Liminal: between your browser and the world
• Powerful position!
• Democratic, open like the web
19. content scripts
• Injected js in each tab
• “Bookmarklet on steroids”
• Can read/write DOM
• Can only access chrome
message-passing APIs
• No access to other
`chrome.*` APIs
• Operates in “isolated world”
"content_scripts": [
{
"matches": ["<all_urls>"],
"js": [
"jquery.js",
"content_script.js"
]
}
],
manifest.json
20. background page (script)
• Accesses Chrome Extension APIs (`chrome.*`)
• Read/change browser state (tabs, windows, etc)
• Add listeners for Chrome API events (toolbar icon clicks,
network requests, tab changes, history updated, etc.)
• No access to DOM
• Uses message-passing to coordinate w/ content script
• Only 1 instance per extension (not per tab)
48. WSJ Bypass
• WSJ has paywall in front of articles
• but allows Google to crawl its content
• How?
• Referer + User-Agent detection
• Solution? Chrome Ext strips referer, changes User-
Agent
• Blog Post by Isoroku Yamamoto
53. Chrome Extensions: Helpful
References
• Manifest.json — The portal into every extension
• hacking-the-browser repo — Lots of simple examples
Chrome Extension Source Viewer
• BPM Browser by Brett Stiller
• Decodelia by Melanie Hoff
• Passtime by Marc Abbey
• Chrome Blog Inline Install Policy Post