0.0.4 • Published 18 days ago

@webext-pegasus/transport v0.0.4

Weekly downloads
-
License
MIT
Repository
github
Last release
18 days ago

webext-pegasus Logo

@webext-pegasus/transport

License GitHub Actions Workflow Status Package version

Turns surface specific browser APIs into unified transport layer.

Supports

  • Runtime contexts: window (injected script), popup, devtools, content script, background, options, sidepanel (planned)
  • Browsers: Chrome, Firefox, Safari, Opera, Edge + others supported by webextension-polyfill

🚀 Quick Start

npm install -S @webext-pegasus/transport

Initialize Pegasus transport layer once for every runtime context you use in your extension.

background.ts

import { initPegasusTransport } from '@webext-pegasus/transport/background';

initPegasusTransport();
// You can use all other Pegasus packages after it

As soon as Pegasus Transport was initialized - all other code that relies on transport layer may simply do the following:

import {getMessagingAPI} from '@webext-pegasus/transport';

// This will work in any runtime context as initPegasusTransport() set needed adapter within module lexical scope
const {sendMessage} = getMessagingAPI();
sendMessage(/* ... */);

Available entrypoints:

  • @webext-pegasus/transport/background
  • @webext-pegasus/transport/content-script
  • @webext-pegasus/transport/devtools
  • @webext-pegasus/transport/options
  • @webext-pegasus/transport/popup
  • @webext-pegasus/transport/window (for injected scripts)

Security risks while communicating with injected script

The following note only applies if and only if, you will be sending/receiving messages to/from window contexts. There's no security concern if you will be only working with content-script, background, popup, options, or devtools scope, which is the default setting.

window context(s) in tab A get unlocked the moment you call initPegasusTransport({allowWindowMessagingForNamespace: 'TEST'}) in your extension's content script AND initPegasusTransport({namespace: 'TEST'}) in your injected script.

Unlike chrome.runtime.sendMessage and chrome.runtime.connect, which requires extension's manifest to specify sites allowed to talk with the extension, this package has no such measure by design, which means any webpage whether you intended or not, can do sendMessage(msgId, data, 'background') or something similar that produces same effect, as long as it uses same protocol used by this library and namespace set to same as yours.

So to be safe, if you will be interacting with window contexts, treat incoming data as you would treat user input.

As an example if you plan on having something critical, always verify the sender before responding:

// background.js

import { onMessage } from '@webext-pegasus/transport/background';

onMessage("getUserBrowsingHistory", (message) => {
  const { data, sender } = message;
  // Respond only if request is from 'devtools', 'content-script', 'popup', 'options', or 'background' endpoint
});

Credits

This library is based on the Server Side Up's implementation of the webext-bridge in context of RPC stack. However it simplifies use of the sendMessage/onMessage APIs in conponents that may be present within different runtime contexts.

chromeextensionmessagingcommunicationprotocolcontentbackgrounddevtoolsscriptcrxbridge
@types/webextension-polyfillnanoeventsserialize-errortiny-uidtype-festwebextension-polyfill
@webext-pegasus/rpc@webext-pegasus/store
0.0.4

18 days ago

0.0.2

19 days ago

0.0.1

19 days ago