chrome.runtime will no longer be defined unconditionally in Chrome 106
3,320 views
Skip to first unread message
Martin Kreichgauer
Aug 24, 2022, 3:00:16 PM8/24/22
to chromium-...@chromium.org
Hello Chromium extension developers,
TL;DR: Chrome 106 will include a change that causes `chrome.runtime` to no longer be defined unconditionally on all sites. Websites must always expect `chrome.runtime` to be undefined in contexts where there is no connectable extension.
Over the past couple of months, we have taken steps to remove Chrome's legacy U2F security API. This API was implemented in a hidden Chrome extension called CryptoToken, which by design was externally connectable from all URLs. The presence of this extension meant that `chrome.runtime` was effectively always defined on any web origin, because there was always at least one extension to connect to, even if the user installed no other connectable extensions themselves. As part of the U2F removal process, Chrome 106 stops loading CryptoToken by default, which means that `chrome.runtime` will now be undefined in contexts where there is no other connectable extension.
Websites should never assume that `chrome.runtime` is defined unconditionally. As a temporary escape hatch, the effects of this change can be reversed by enabling the chrome://flags/#load-cryptotoken-extension flag or an upcoming enterprise policy named "LoadCryptoTokenExtension".
Cheers,
Martin Kreichgauer
Mike-O
Aug 24, 2022, 6:48:37 PM8/24/22
to Chromium Extensions, mart...@google.com
As an extension developer, I extensively use chrome.runtime to send messages between service worker, content script, and panel, as well as utilizing onStartup, onInstalled, getManifest, and setUninstallURL. What does this mean for me? Do I need to add something to my manifest? Do I need to load chrome.runtime first before doing something like a message listener?
hrg...@gmail.com
Aug 24, 2022, 7:11:55 PM8/24/22
to Chromium Extensions, Mike-O, mart...@google.com
The announcement doesn't say anything about content scripts, it only mentions websites.
chrome.runtime will always be defined in content scripts because that's the only way the content script can access things like chrome.runtime.id, chrome.runtime.lastError, etc.
chrome.runtime will always be defined in content scripts because that's the only way the content script can access things like chrome.runtime.id, chrome.runtime.lastError, etc.
Jackie Han
Aug 25, 2022, 12:26:46 AM8/25/22
to Martin Kreichgauer, chromium-...@chromium.org
Hi Martin,
What does "unconditionally" mean? In other words, under what conditions is it available?
When "externally_connectable" is declared in the extension's manifest.json, `chrome.runtime` is available, right?
externally_connectable https://developer.chrome.com/docs/extensions/mv3/manifest/externally_connectable/
Sending messages from web pages https://developer.chrome.com/docs/extensions/mv3/messaging/#external-webpage
--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/CAB%3DfcEaA4u%3DAfePCOPouF9CJScNQX3qQJEwuxvgo1Z7SHNTquw%40mail.gmail.com.
Jackie Han
Aug 25, 2022, 12:36:09 AM8/25/22
to Martin Kreichgauer, chromium-...@chromium.org
This forum is for extension developers. It's best to add this change log to the Chromium Blog(Chrome 106 Beta: xxx) as well, so website developers will know too.
Moe Bazzi
Aug 25, 2022, 2:49:12 AM8/25/22
to Jackie Han, Martin Kreichgauer, chromium-...@chromium.org
Hey everyone,
I think this only applies for websites, and not scripts that come from chrome extensions like content scripts, service worker, popup etc. For these types of scripts, it’s safe to assume that chrome.runtime will be always defined unconditionally.
This was my understanding, please correct if I’m wrong.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/CAAgdh1LHDQS-PjiJZ9OcfdJWWvzXSJ9fKOL0AwcuEwVuwh8jJg%40mail.gmail.com.
Jackie Han
Aug 25, 2022, 3:50:09 AM8/25/22
to Moe Bazzi, Martin Kreichgauer, chromium-...@chromium.org
Yes, it should only affect websites (the main world of content script).
If you want to receive messages from the main world directly, you should add externally_connectable in manifest:
"externally_connectable": {
"matches": [
"https://*.mysite.com/*",
"https://*.mysite.com/*",
...
or <all_urls>
]
or <all_urls>
]
}
Simeon Vincent
Aug 25, 2022, 1:11:05 PM8/25/22
to Jackie Han, Moe Bazzi, Martin Kreichgauer, chromium-...@chromium.org
This forum is for extension developers. It's best to add this change log to the Chromium Blog(Chrome 106 Beta: xxx) as well, so website developers will know too.
Excellent point, I'll try to make this happen.
Simeon - @dotproto
Chrome Extensions DevRel
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/CAAgdh1%2BiaZUNKUYwM1omtNneBgXPj%3DvdEt053qMXnszc9CBh3w%40mail.gmail.com.
blackout
Sep 11, 2023, 2:33:34 PM9/11/23
to Chromium Extensions, Jackie Han, Martin Kreichgauer, chromium-...@chromium.org, Moe Bazzi
According to the documentation on https://developer.chrome.com/docs/extensions/mv3/manifest/externally_connectable/ using <all_urls> is not allowed. But i have tested with manifest v3 it does work with <all_urls>.
Documentation says last Updated on Friday, October 31, 2014. I am confused can we use this with our extension on CWS or not?
wOxxOm
Sep 11, 2023, 3:23:32 PM9/11/23
to Chromium Extensions, blackout, Jackie Han, Martin Kreichgauer, chromium-...@chromium.org, Moe Bazzi
Broad host permissions such as <all_urls> were allowed in Chrome 107: https://crrev.com/1047586
The documentation is outdated.
Simeon Vincent
Sep 11, 2023, 6:47:09 PM9/11/23
to wOxxOm, Chromium Extensions, blackout, Jackie Han, Martin Kreichgauer, Moe Bazzi
I'm sure PRs would be appreciated: https://github.com/GoogleChrome/developer.chrome.com/blob/main/site/en/docs/extensions/mv3/manifest/externally_connectable/index.md
Simeon - @dotproto
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/e26e5828-ea16-427a-b1fe-a9b95acadb70n%40chromium.org.
blackout
Sep 12, 2023, 1:18:55 PM9/12/23
to Chromium Extensions, wOxxOm, blackout, Jackie Han, Martin Kreichgauer, chromium-...@chromium.org, Moe Bazzi
On https://crrev.com/1047586 it says "... This CL doesn't fully remove the permission to avoid introducing install-time warnings for any existing extensions that leverage it...."
Does this mean using externally_connectable.all_urls permission will not deactivate our extension on already installed browsers?
wOxxOm
Sep 13, 2023, 6:31:56 AM9/13/23
to Chromium Extensions, blackout, wOxxOm, Jackie Han, Martin Kreichgauer, chromium-...@chromium.org, Moe Bazzi
It means you don't need this separate permission now, but if you were using it previously nothing bad will happen if you remove this permission.
blackout
Sep 13, 2023, 7:07:49 AM9/13/23
to Chromium Extensions, wOxxOm, blackout, Jackie Han, Martin Kreichgauer, chromium-...@chromium.org, Moe Bazzi
Sorry for confusion.
I would like to add following:
I would like to add following:
"externally_connectable": {
"matches": ["<all_urls>"]
}
for the first time on my already existing extension on CWS. Will this cause deactivation of already installed extensions like some permissions do? Current version does not use externally_connectable at all.
wOxxOm
Sep 13, 2023, 7:53:50 AM9/13/23
to Chromium Extensions, blackout, wOxxOm, Jackie Han, Martin Kreichgauer, chromium-...@chromium.org, Moe Bazzi
"externally_connectable" section doesn't contribute to permissions regardless of its "matches", so you can specify it, but you'll probably want to add "minimum_chrome_version": 107 as well because all_urls won't work in earlier versions of Chrome anyway and probably won't be even installed.
Reply all
Reply to author
Forward
0 new messages