Chrome extension to use Manifest V3 by natashapetrus · Pull Request #37 · georiot/client-apps

natashapetrus · 2024-06-06T17:12:51Z

https://geniuslink.atlassian.net/browse/ENG-99?atlOrigin=eyJpIjoiODMzNDVhMzAzODY2NDZmZThhOWU1MzAxMzkwMzVlNTciLCJwIjoiaiJ9

natashapetrus · 2024-06-06T17:23:03Z

-        if (typeof asa !== 'undefined') {
-            self.apiSecret(asa);
-        }
+var apiKeyViewModel = {


you'll see changes to all of the Knockout viewmodels due to this: https://developer.chrome.com/docs/extensions/develop/migrate/improve-security#remove-execution-of-strings

Manifest v3 has a new rule for Content Security Policy disables eval and new Function, and Knockout's default binder uses new Function to parse bindings.

So I need to make changes to all the viewmodels to use custom binding: https://github.com/brianmhunt/knockout-secure-binding

Yeah Knockout is probably a fragile choice for a Chrome extension for a number of reasons, but that makes sense.

natashapetrus · 2024-06-06T17:24:40Z

@@ -1,22 +1,4 @@
-chrome.runtime.onInstalled.addListener(function (details) {


this is moved to the serviceworker.

some functions are kept here intentionally (ones that still need access to the DOM)

https://developer.chrome.com/docs/extensions/develop/migrate/to-service-workers#changes-over-bg

natashapetrus · 2024-06-06T17:26:10Z

-        self.showHelpLink(false);
-        self.newInstall(false);
-        self.UrlApiKeys = ('https://my.geni.us/tools#api-section');
+chrome.storage.local.get(["defaultGroup"]).then((group) => {


there's changes to ALL expressions that use localStorage to using chrome.storage.local due to this:
https://developer.chrome.com/docs/extensions/develop/migrate/to-service-workers#convert-localstorage

The web platform's Storage interface (accessible from window.localStorage) cannot be used in a service worker. To address this do one of two things. First, you can replace it with calls to another storage mechanism. The chrome.storage.local namespace will serve most use cases, but other options are available.

natashapetrus · 2024-06-06T17:29:38Z

@@ -1,4 +1,4 @@
-chrome.extension.onMessage.addListener(function (msg, sender, sendResponse) {
+chrome.runtime.onMessage.addListener(function (msg, sender, sendResponse) {


chrome.extension.onMessage is now unsupported, needs to be replaced:
https://developer.chrome.com/docs/extensions/develop/migrate/api-calls#replace-unsupported-apis

natashapetrus · 2024-06-06T17:30:47Z

@@ -0,0 +1,129 @@
+chrome.runtime.onInstalled.addListener(async function (details) {


most of the functions here are moved from the background script background.js since we need to be using service worker now in manifest v3

https://developer.chrome.com/docs/extensions/develop/migrate/to-service-workers#differences-with-sws

natashapetrus · 2024-06-06T17:31:58Z

+    "version": "1.0.6",

-    "browser_action": {
+    "action": {


https://developer.chrome.com/docs/extensions/develop/migrate/api-calls#replace_browser_action_and_page_action_with_action

natashapetrus · 2024-06-06T17:32:45Z

    "content_scripts": [{
        "matches": ["http://*/*", "https://*/*", "*://*/*"],
-        "js": ["js/openDialog.js"]
+        "js": ["js/jquery.min.js", "js/servicestack.js", "js/GeniusLinkServiceClient.js", "js/openDialog.js", "js/background.js"]


these are the scripts that needs to be accessible by the serviceworker

natashapetrus · 2024-06-06T17:33:32Z

-        "js/frame.js",
-        "alertDoneInside.html", "alertLoadingInside.html", "alertDoneOutside.html", "alertLoadingOutside.html", "css/vsprites.svg", "css/main.css", "js/bootstrap.min.js"
+        {
+            "resources": [


https://developer.chrome.com/docs/extensions/develop/migrate/manifest#update-wa-resources

natashapetrus · 2024-06-06T17:33:59Z

    "background": {
-        "scripts": ["js/background.js", "js/jquery.min.js", "js/jquery-ui.min.js", "js/bootstrap.min.js", "js/bootbox.min.js", "js/utilities.js", "js/servicestack.js", "js/GeniusLinkServiceClient.js"],
-        "persistent": true
+        "service_worker": "js/serviceWorker.js"


https://developer.chrome.com/docs/extensions/develop/migrate/to-service-workers#update-bg-field

natashapetrus · 2024-06-06T17:36:11Z


-    "content_security_policy": "script-src  'self' 'unsafe-eval' https://ssl.google-analytics.com; object-src 'self'",
+    "content_security_policy": {
+        "extension_pages": "script-src 'self' 'wasm-unsafe-eval'; object-src 'self';"


https://developer.chrome.com/docs/extensions/develop/migrate/improve-security#update-csp

Manifest V3 disallows certain content security policy values in the "extension_pages" field that were allowed in Manifest V2. Specifically Manifest V3 disallows those that allow remote code execution. The script-src, object-src, and worker-src directives may only have the following values: self, none, wasm-unsafe-eval

matthew-dean · 2024-06-06T18:56:45Z

    <div style="padding: 20px">
        <div style="text-align: center;">
-                <button class="btn-gl-blue" style="width: 250px; font-size: 13px;" data-bind="event: { click: createLinkFromButton }">New link from current page</button>
+            <button class="btn-gl-blue" style="width: 250px; font-size: 13px;" data-bind="click: createLinkFromButton">New link from current page</button>


This is within an extension? Will this scale to the user's preferences (re: font size)?

yes, this is within the extension. also AFAIK, no. but @ssundheim might know?

matthew-dean · 2024-06-06T19:16:32Z

-}
 $('#back').on('click', 'a', function () {
    window.location.href = window.history.back(1);
 });


hmm... probably could just a button with that click action?

matthew-dean · 2024-06-06T19:17:12Z


-
-var lastLinksModel = new lastLinksViewModel();
 if (typeof testModel === 'undefined') {


equivalent to if (testModel === undefined) -- casting to a string should not be necessary

this error shows up if we do it that way, so since this is existing code, I'm keeping it as is for now, we can re-investigate and clean up later:

matthew-dean · 2024-06-06T19:19:02Z

+
            setTimeout(function () {
                iframe.remove();
            }, 5000);


Can magic numbers be documented?

tbh I don't know what this is, I didn't initially write this app, but since this is existing, I don't want to mess with it. maybe @ssundheim knows?

matthew-dean · 2024-06-06T19:19:19Z

@@ -43,5 +39,4 @@ chrome.extension.onMessage.addListener(function (msg, sender, sendResponse) {
            }, 6000);


Another magic number. Documentation?

also don't know what this is and why this number. pinging @ssundheim

matthew-dean

Ideally, the .js files wouldn't be dumping variables into the global scope. Are variables that the extension runs available to the host web page?

natashapetrus added 20 commits May 29, 2024 22:02

update manifest to v3

04e751a

manifest change + loader

fc2feeb

change some more actions

ddaeeb5

change some localstorage to using chrome.storage.local

5202b01

change to chrome.storage.local

6d9c30c

change usages of localstorage - done

efe15f5

change CSP

e1e91e5

unsafe-val -> wasm-unsafe-eval

2c18f17

remove GA CSP temporarily

2065ce5

use secure bindings

90c4caa

WIP

9a9e54b

renames

1259dcf

WIP

a38fb6a

remove test text

885a4c6

z

d7c3988

WIP

6fbc902

WIP

6e47428

rm

8865b11

ok everything works

a60f886

OK

043174f

natashapetrus requested review from matthew-dean and ssundheim June 6, 2024 17:13

natashapetrus commented Jun 6, 2024

View reviewed changes

Comment thread ChromeExtension/js/background.js Outdated

natashapetrus commented Jun 6, 2024

View reviewed changes

Comment thread ChromeExtension/js/offscreen.js Outdated

natashapetrus commented Jun 6, 2024

View reviewed changes