SlideShare a Scribd company logo

Chrome Extensions - Basic concepts powerpoint

F
f20190876

This document provides an overview of Chrome extensions, including their basic architecture and components. It discusses what extensions are and what they can do, such as modifying websites and collecting information across sites. The key parts of an extension are the manifest, background scripts, content scripts, and HTML pages. The document also covers how these components communicate via message passing and how to develop extensions securely.

Internet
1 of 31
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
Chrome Extensions - Basic concepts Author: Rishabh Singhal
Agenda - What are extensions? - Basic Architecture - How all parts connects together - Chrome Javascript API’s - Security tips
What are extensions? What can they do?
What are chrome extensions? Extensions are small software programs that can modify and enhance the functionality of the Chrome browser. Chrome extensions enhance the browsing experience by adding features and functionality to the Chrome browser, providing things like: - Productivity tools - Web page content enrichment - Information aggregation
What can extensions do? Extensions can use all the JavaScript APIs that the browser provides. What makes extensions more powerful than a web app is their access to Chrome APIs. The following are just a few examples of what extensions can do: - Change the functionality or behavior of a website - Allow users to collect and organize information across websites - Add features to Chrome DevTools - See Extension development overview for a complete list of API capabilities
Basic Architecture - Different components of an extension
Chrome extension architecture: Overview
Chrome extension architecture: Detailed
File structure of a chrome extension The manifest The extension's manifest is the only required file that must have a specific file name: manifest.json . It also has to be located in the extension's root directory. The manifest records important metadata, defines resources, declares permissions, and identifies which files to run in the background and on the page. The service worker The extension service worker handles and listens for browser events. There are many types of events, such as navigating to a new page, removing a bookmark, or closing a tab. It can use all the Chrome APIs, but it cannot interact directly with the content of web pages; that’s the job of content scripts. Content scripts Content scripts execute Javascript in the context of a web page. They can also read and modify the DOM of the pages they're injected into. Content Scripts can only use a subset of the Chrome APIs but can indirectly access the rest by exchanging messages with the extension service worker. The popup and other pages An extension can include various HTML files, such as a popup, an options page, and other HTML pages. All these pages have access to Chrome APIs.
Manifest.json The manifest (manifest.json) is the configuration file of a Chrome extension. It is a required JSON file that must be located at the root of the project. It provides the browser with a blueprint of the extension, with important information such as: - The name of the extension, a description of what it does, the current version number, and what icons to use. - The Chrome API keys and permissions that the extension needs. - The files assigned as the extension service worker, the popup HTML file, the options page, the content scripts, etc.
Examples of manifest.json
Service workers/background scripts Background scripts or a background page enable you to monitor and react to events in the browser, such as navigating to a new page, removing a bookmark, or closing a tab. Background scripts or a page are: - Persistent – loaded when the extension starts and unloaded when the extension is disabled or uninstalled. - Non-persistent (which are also known as event pages) – loaded only when needed to respond to an event and unloaded when they become idle. However, a background page does not unload until all visible views and message ports are closed. Opening a view does not cause the background page to load but does prevent it from closing. In Manifest V3, only non-persistent background scripts or a page are supported.
Content scripts - Content scripts are JS files that run in the context of web pages. - Content scripts can access Chrome APIs used by their parent extension by exchanging messages. They can access extension files after declaring them as web-accessible resources. - Additionally, content scripts can access the following chrome APIs directly: I18n, storage, runtime:, connect, getManifest, getURL, id, onConnect, onMessage. sendMessage - Content scripts are unable to access other APIs directly.
Extension HTML pages An extension can have different HTML pages depending on the design. All extension HTML files can use the Chrome APIs, but cannot include inline Javascript; they must point to a JavaScript file. The two most common HTML pages are: - The popup - Many extensions use a popup (popup.html) to provide functionality, such as displaying a list of tabs, or additional information regarding the current tab. Users can easily find it by clicking on the extension toolbar icon. When the user navigates away it will automatically close. - The options page - The options page (options.html) provides a way for users to customize an extension, such as choosing which sites the extension will run on. Users can access the options page in several ways as described in Finding the options page. - Side panels - A side panel (sidepanel.html) can be used to assist users throughout their browsing journey. Users can find extension side panels by navigating to Chrome's side panel UI or by clicking the extension toolbar icon. Side panels can be configured to only be displayed on specific sites. Other extension HTML pages include Chrome override pages, sandbox pages or any custom page included for a specific purpose like onboarding the user.
Popup, context menu, side panels, etc Popup Context Menu Side Panel Tooltip Omnibox
How all parts connects together
Basic communication
Message Passing - Simple one time requests Sending a request: Receiving a request:
Message Passing - Long-lived connections Sometimes it's useful to have a conversation that lasts longer than a single request and response. In this case, you can open a long-lived channel from your content script to an extension page or vice versa using runtime.connect or tabs.connect, respectively. The channel can optionally have a name, allowing you to distinguish between different types of connections.
Message passing between content script and service worklet: Long-lived (via ports)
web_accessible_resources Web-accessible resources are files inside an extension that can be accessed by web pages or other extensions. Extensions typically use this feature to expose images or other assets that need to be loaded in web pages, but any asset included in an extension's bundle can be made web accessible.
Chrome Javascript API’s JavaScript APIs for Chrome Extensions can be used inside the extension's background scripts and in any other documents bundled with the extension, including browser action or page action popups, sidebars, options pages, or new tab pages. A few of these APIs can also be accessed by an extension's content scripts. To use the more powerful APIs, you need to request permission in your extension's manifest.json. View API Reference docs to learn more
Storage API The Storage API provides an extension-specific way to persist user data and state. It's similar to the web platform's storage APIs (IndexedDB, and Storage), but was designed to meet the storage needs of extensions. The following are a few key features: - All extension contexts, including the extension service worker and content scripts have access to the Storage API. - The JSON serializable values are stored as object properties. - The Storage API is asynchronous with bulk read and write operations. - Even if the user clears the cache and browsing history, the data persists. - Stored settings persist even when using split incognito. - Includes an exclusive read-only managed storage area for enterprise policies.
Security tips - How to stay secure
Never use HTTP When requesting or sending data, avoid an HTTP connection. Assume that any HTTP connections will have eavesdroppers or contain modifications. HTTPS should always be preferred, as it has built-in security circumventing most man-in-the-middle attacks.
Cross-origin fetch() An extension can only use fetch() and XMLHttpRequest() to get resources from the extension and from domains specified in the permissions. Note that calls to both are intercepted by the fetch handler in the service worker. This extension in the sample above requests access to anything on developer.chrome.com and subdomains of Google by listing "https://developer.chrome.com/*" and "https://*.google.com/*" in the permissions. If the extension were compromised, it would still only have permission to interact with websites that meet the match pattern. The attacker would only have limited ability to access "https://user_bank_info.com", or interact with "https://malicious_website.com".
Limit use of Web-accessible resources Making resources accessible by the web, under the "web_accessible_resources" will make an extension detectable by websites and attackers. The more web accessible resources available, the more avenues a potential attacker can exploit. Keep these files to a minimum.
Include an explicit content security policy Include a content security policy for the extension in the manifest to prevent cross-site scripting attacks. If the extension only loads resources from itself register the following:
Avoid document.write() and innerHTML While it may be simpler to dynamically create HTML elements with document.write() and innerHTML, it leaves the extension, and web pages the extension depends on, open to attackers inserting malicious scripts. Instead, manually create DOM nodes and use innerText to insert dynamic content.
Use content scripts carefully While content scripts live in an isolated world, they are not immune from attacks: - Content scripts are the only part of an extension that interacts directly with the web page. Because of this, hostile web pages may manipulate parts of the DOM the content script depends on, or exploit surprising web standard behavior, such as named items. - To interact with DOM of web pages, content scripts need to execute in the same renderer process as the web page. This makes content scripts vulnerable to leaking data via side channel attacks (e.g., Spectre), and to being taken over by an attacker if a malicious web page compromises the renderer process. Operations using sensitive data (such as a user's private information) or Chrome APIs with access to the browser's functions should be performed in the extensions' service worker. Avoid accidentally exposing extension privileges to content scripts
Thank You

More Related Content

PDF
Building Chrome Extensions
Ron Reiter
Β 
PPTX
Google chrome extension
Johnny Kingdom
Β 
ODP
Chrome extension development
Michal HatΓ‘k
Β 
PPTX
An overview on Developing Chrome Extensions
Aces Mndr
Β 
PDF
Chrome extensions threat analysis and countermeasures
Roel Palmaers
Β 
PDF
Browser Extensions for Web Hackers
Mark Wubben
Β 
PPT
Chrome Extension Develop Starts
taobao.com
Β 
PPTX
Chrome extensions
Aleks Zinevych
Β 
Building Chrome Extensions
Ron Reiter
Β 
Google chrome extension
Johnny Kingdom
Β 
Chrome extension development
Michal HatΓ‘k
Β 
An overview on Developing Chrome Extensions
Aces Mndr
Β 
Chrome extensions threat analysis and countermeasures
Roel Palmaers
Β 
Browser Extensions for Web Hackers
Mark Wubben
Β 
Chrome Extension Develop Starts
taobao.com
Β 
Chrome extensions
Aleks Zinevych
Β 

Similar to Chrome Extensions - Basic concepts powerpoint (20)

PDF
Chrome Extensions for Web Hackers
Mark Wubben
Β 
PDF
Chrome Extensions: Threat Analysis and Countermeasures
Tom K
Β 
PDF
Chrome extensions
Ahmad Tahhan
Β 
PDF
How to develop browser extension
Abu Saleh Muhammad Shaon
Β 
PPTX
Chrome extension 2014.08.03
louisasea666
Β 
PPTX
Chrome Apps & Extensions
Varun Raj
Β 
PPTX
Orange is the new blue: How to port Chrome Extension to Firefox Extension
chaykaborya
Β 
PPTX
Cliw - extension development
vicccuu
Β 
PDF
Chrome Extensions at Manhattan JS
Cory Forsyth
Β 
PDF
Advanced Chrome extension exploitation
Krzysztof Kotowicz
Β 
PDF
Introduction to Web Browser Extension/Add-ons
Pranav Gupta
Β 
PDF
Chrome Extensions for Hackers
Cristiano Betta
Β 
PPTX
Develop Chrome Extension
Aleksandr Golovatyi
Β 
PPTX
Web browser extension development
alecsrusu
Β 
PDF
Chrome extension development
MārtiΕ†Ε‘ Balodis
Β 
PDF
The Evil Friend in Your Browser
Achim D. Brucker
Β 
PPTX
Intro chrome extensions
Rebecca Peltz
Β 
PPTX
Building your own Chrome Extension
Saptak Sengupta
Β 
PPTX
Chrome Extensions: Masking risks in entertainment
Eduardo Chavarro
Β 
PPTX
Web browser extensions development
dragoslargu
Β 
Chrome Extensions for Web Hackers
Mark Wubben
Β 
Chrome Extensions: Threat Analysis and Countermeasures
Tom K
Β 
Chrome extensions
Ahmad Tahhan
Β 
How to develop browser extension
Abu Saleh Muhammad Shaon
Β 
Chrome extension 2014.08.03
louisasea666
Β 
Chrome Apps & Extensions
Varun Raj
Β 
Orange is the new blue: How to port Chrome Extension to Firefox Extension
chaykaborya
Β 
Cliw - extension development
vicccuu
Β 
Chrome Extensions at Manhattan JS
Cory Forsyth
Β 
Advanced Chrome extension exploitation
Krzysztof Kotowicz
Β 
Introduction to Web Browser Extension/Add-ons
Pranav Gupta
Β 
Chrome Extensions for Hackers
Cristiano Betta
Β 
Develop Chrome Extension
Aleksandr Golovatyi
Β 
Web browser extension development
alecsrusu
Β 
Chrome extension development
MārtiΕ†Ε‘ Balodis
Β 
The Evil Friend in Your Browser
Achim D. Brucker
Β 
Intro chrome extensions
Rebecca Peltz
Β 
Building your own Chrome Extension
Saptak Sengupta
Β 
Chrome Extensions: Masking risks in entertainment
Eduardo Chavarro
Β 
Web browser extensions development
dragoslargu
Β 
Ad

Recently uploaded (20)

PPTX
Module 1 - Cyber Law and Ethics 101.pptx
anantyakhrisna1
Β 
PDF
Paper PDF World Game (s) Great Redesign.pdf
Steven McGee
Β 
PDF
Vigrab.top – Online Tool for Downloading and Converting Social Media Videos a...
Vigrab Top
Β 
PDF
πŸ’° π”πŠπ“πˆ πŠπ„πŒπ„ππ€ππ†π€π πŠπˆππ„π‘πŸ’πƒ π‡π€π‘πˆ 𝐈𝐍𝐈 πŸπŸŽπŸπŸ“ πŸ’°
GRAB
Β 
PDF
Triggering QUIC, presented by Geoff Huston at IETF 123
APNIC
Β 
PDF
Unit-1 introduction to cyber security discuss about how to secure a system
shivangisharma636228
Β 
PPTX
Introuction about WHO-FIC in ICD-10.pptx
naveenithkrishnan
Β 
PPTX
522797556-Unit-2-Temperature-measurement-1-1.pptx
msar8888
Β 
PDF
APNIC Update, presented at PHNOG 2025 by Shane Hermoso
APNIC
Β 
PDF
SASE Traffic Flow - ZTNA Connector-1.pdf
mackwell7777
Β 
PPTX
innovation process that make everything different.pptx
SoumyadipPaul18
Β 
PDF
Best Practices for Testing and Debugging Shopify Third-Party API Integrations...
CartCoders
Β 
PPTX
introduction about ICD -10 & ICD-11 ppt.pptx
naveenithkrishnan
Β 
PPTX
Introduction about ICD -10 and ICD11 on 5.8.25.pptx
naveenithkrishnan
Β 
PPTX
presentation_pfe-universite-molay-seltan.pptx
yahyamohibme
Β 
PPTX
Job_Card_System_Styled_lorem_ipsum_.pptx
Jeffkigen
Β 
PPTX
Digital Literacy And Online Safety on internet
riksa rifqi
Β 
PPTX
Introduction to Information and Communication Technology
AkmadArzieAyao1
Β 
PPTX
Internet___Basics___Styled_ presentation
poonam62133
Β 
PPTX
Slides PPTX World Game (s) Eco Economic Epochs.pptx
Steven McGee
Β 
Module 1 - Cyber Law and Ethics 101.pptx
anantyakhrisna1
Β 
Paper PDF World Game (s) Great Redesign.pdf
Steven McGee
Β 
Vigrab.top – Online Tool for Downloading and Converting Social Media Videos a...
Vigrab Top
Β 
πŸ’° π”πŠπ“πˆ πŠπ„πŒπ„ππ€ππ†π€π πŠπˆππ„π‘πŸ’πƒ π‡π€π‘πˆ 𝐈𝐍𝐈 πŸπŸŽπŸπŸ“ πŸ’°
GRAB
Β 
Triggering QUIC, presented by Geoff Huston at IETF 123
APNIC
Β 
Unit-1 introduction to cyber security discuss about how to secure a system
shivangisharma636228
Β 
Introuction about WHO-FIC in ICD-10.pptx
naveenithkrishnan
Β 
522797556-Unit-2-Temperature-measurement-1-1.pptx
msar8888
Β 
APNIC Update, presented at PHNOG 2025 by Shane Hermoso
APNIC
Β 
SASE Traffic Flow - ZTNA Connector-1.pdf
mackwell7777
Β 
innovation process that make everything different.pptx
SoumyadipPaul18
Β 
Best Practices for Testing and Debugging Shopify Third-Party API Integrations...
CartCoders
Β 
introduction about ICD -10 & ICD-11 ppt.pptx
naveenithkrishnan
Β 
Introduction about ICD -10 and ICD11 on 5.8.25.pptx
naveenithkrishnan
Β 
presentation_pfe-universite-molay-seltan.pptx
yahyamohibme
Β 
Job_Card_System_Styled_lorem_ipsum_.pptx
Jeffkigen
Β 
Digital Literacy And Online Safety on internet
riksa rifqi
Β 
Introduction to Information and Communication Technology
AkmadArzieAyao1
Β 
Internet___Basics___Styled_ presentation
poonam62133
Β 
Slides PPTX World Game (s) Eco Economic Epochs.pptx
Steven McGee
Β 
Ad

Chrome Extensions - Basic concepts powerpoint

  • 1. Chrome Extensions - Basic concepts Author: Rishabh Singhal
  • 2. Agenda - What are extensions? - Basic Architecture - How all parts connects together - Chrome Javascript API’s - Security tips
  • 3. What are extensions? What can they do?
  • 4. What are chrome extensions? Extensions are small software programs that can modify and enhance the functionality of the Chrome browser. Chrome extensions enhance the browsing experience by adding features and functionality to the Chrome browser, providing things like: - Productivity tools - Web page content enrichment - Information aggregation
  • 5. What can extensions do? Extensions can use all the JavaScript APIs that the browser provides. What makes extensions more powerful than a web app is their access to Chrome APIs. The following are just a few examples of what extensions can do: - Change the functionality or behavior of a website - Allow users to collect and organize information across websites - Add features to Chrome DevTools - See Extension development overview for a complete list of API capabilities
  • 6. Basic Architecture - Different components of an extension
  • 9. File structure of a chrome extension The manifest The extension's manifest is the only required file that must have a specific file name: manifest.json . It also has to be located in the extension's root directory. The manifest records important metadata, defines resources, declares permissions, and identifies which files to run in the background and on the page. The service worker The extension service worker handles and listens for browser events. There are many types of events, such as navigating to a new page, removing a bookmark, or closing a tab. It can use all the Chrome APIs, but it cannot interact directly with the content of web pages; that’s the job of content scripts. Content scripts Content scripts execute Javascript in the context of a web page. They can also read and modify the DOM of the pages they're injected into. Content Scripts can only use a subset of the Chrome APIs but can indirectly access the rest by exchanging messages with the extension service worker. The popup and other pages An extension can include various HTML files, such as a popup, an options page, and other HTML pages. All these pages have access to Chrome APIs.
  • 10. Manifest.json The manifest (manifest.json) is the configuration file of a Chrome extension. It is a required JSON file that must be located at the root of the project. It provides the browser with a blueprint of the extension, with important information such as: - The name of the extension, a description of what it does, the current version number, and what icons to use. - The Chrome API keys and permissions that the extension needs. - The files assigned as the extension service worker, the popup HTML file, the options page, the content scripts, etc.
  • 12. Service workers/background scripts Background scripts or a background page enable you to monitor and react to events in the browser, such as navigating to a new page, removing a bookmark, or closing a tab. Background scripts or a page are: - Persistent – loaded when the extension starts and unloaded when the extension is disabled or uninstalled. - Non-persistent (which are also known as event pages) – loaded only when needed to respond to an event and unloaded when they become idle. However, a background page does not unload until all visible views and message ports are closed. Opening a view does not cause the background page to load but does prevent it from closing. In Manifest V3, only non-persistent background scripts or a page are supported.
  • 13. Content scripts - Content scripts are JS files that run in the context of web pages. - Content scripts can access Chrome APIs used by their parent extension by exchanging messages. They can access extension files after declaring them as web-accessible resources. - Additionally, content scripts can access the following chrome APIs directly: I18n, storage, runtime:, connect, getManifest, getURL, id, onConnect, onMessage. sendMessage - Content scripts are unable to access other APIs directly.
  • 14. Extension HTML pages An extension can have different HTML pages depending on the design. All extension HTML files can use the Chrome APIs, but cannot include inline Javascript; they must point to a JavaScript file. The two most common HTML pages are: - The popup - Many extensions use a popup (popup.html) to provide functionality, such as displaying a list of tabs, or additional information regarding the current tab. Users can easily find it by clicking on the extension toolbar icon. When the user navigates away it will automatically close. - The options page - The options page (options.html) provides a way for users to customize an extension, such as choosing which sites the extension will run on. Users can access the options page in several ways as described in Finding the options page. - Side panels - A side panel (sidepanel.html) can be used to assist users throughout their browsing journey. Users can find extension side panels by navigating to Chrome's side panel UI or by clicking the extension toolbar icon. Side panels can be configured to only be displayed on specific sites. Other extension HTML pages include Chrome override pages, sandbox pages or any custom page included for a specific purpose like onboarding the user.
  • 15. Popup, context menu, side panels, etc Popup Context Menu Side Panel Tooltip Omnibox
  • 16. How all parts connects together
  • 18. Message Passing - Simple one time requests Sending a request: Receiving a request:
  • 19. Message Passing - Long-lived connections Sometimes it's useful to have a conversation that lasts longer than a single request and response. In this case, you can open a long-lived channel from your content script to an extension page or vice versa using runtime.connect or tabs.connect, respectively. The channel can optionally have a name, allowing you to distinguish between different types of connections.
  • 20. Message passing between content script and service worklet: Long-lived (via ports)
  • 21. web_accessible_resources Web-accessible resources are files inside an extension that can be accessed by web pages or other extensions. Extensions typically use this feature to expose images or other assets that need to be loaded in web pages, but any asset included in an extension's bundle can be made web accessible.
  • 22. Chrome Javascript API’s JavaScript APIs for Chrome Extensions can be used inside the extension's background scripts and in any other documents bundled with the extension, including browser action or page action popups, sidebars, options pages, or new tab pages. A few of these APIs can also be accessed by an extension's content scripts. To use the more powerful APIs, you need to request permission in your extension's manifest.json. View API Reference docs to learn more
  • 23. Storage API The Storage API provides an extension-specific way to persist user data and state. It's similar to the web platform's storage APIs (IndexedDB, and Storage), but was designed to meet the storage needs of extensions. The following are a few key features: - All extension contexts, including the extension service worker and content scripts have access to the Storage API. - The JSON serializable values are stored as object properties. - The Storage API is asynchronous with bulk read and write operations. - Even if the user clears the cache and browsing history, the data persists. - Stored settings persist even when using split incognito. - Includes an exclusive read-only managed storage area for enterprise policies.
  • 24. Security tips - How to stay secure
  • 25. Never use HTTP When requesting or sending data, avoid an HTTP connection. Assume that any HTTP connections will have eavesdroppers or contain modifications. HTTPS should always be preferred, as it has built-in security circumventing most man-in-the-middle attacks.
  • 26. Cross-origin fetch() An extension can only use fetch() and XMLHttpRequest() to get resources from the extension and from domains specified in the permissions. Note that calls to both are intercepted by the fetch handler in the service worker. This extension in the sample above requests access to anything on developer.chrome.com and subdomains of Google by listing "https://developer.chrome.com/*" and "https://*.google.com/*" in the permissions. If the extension were compromised, it would still only have permission to interact with websites that meet the match pattern. The attacker would only have limited ability to access "https://user_bank_info.com", or interact with "https://malicious_website.com".
  • 27. Limit use of Web-accessible resources Making resources accessible by the web, under the "web_accessible_resources" will make an extension detectable by websites and attackers. The more web accessible resources available, the more avenues a potential attacker can exploit. Keep these files to a minimum.
  • 28. Include an explicit content security policy Include a content security policy for the extension in the manifest to prevent cross-site scripting attacks. If the extension only loads resources from itself register the following:
  • 29. Avoid document.write() and innerHTML While it may be simpler to dynamically create HTML elements with document.write() and innerHTML, it leaves the extension, and web pages the extension depends on, open to attackers inserting malicious scripts. Instead, manually create DOM nodes and use innerText to insert dynamic content.
  • 30. Use content scripts carefully While content scripts live in an isolated world, they are not immune from attacks: - Content scripts are the only part of an extension that interacts directly with the web page. Because of this, hostile web pages may manipulate parts of the DOM the content script depends on, or exploit surprising web standard behavior, such as named items. - To interact with DOM of web pages, content scripts need to execute in the same renderer process as the web page. This makes content scripts vulnerable to leaking data via side channel attacks (e.g., Spectre), and to being taken over by an attacker if a malicious web page compromises the renderer process. Operations using sensitive data (such as a user's private information) or Chrome APIs with access to the browser's functions should be performed in the extensions' service worker. Avoid accidentally exposing extension privileges to content scripts