Skip to content

Instantly share code, notes, and snippets.

@kevin51jiang

kevin51jiang/text.md

Created April 19, 2023 21:06
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save kevin51jiang/27f1392f8c1ff1e55d9690247845f6af to your computer and use it in GitHub Desktop.
Save kevin51jiang/27f1392f8c1ff1e55d9690247845f6af to your computer and use it in GitHub Desktop.
Download ZIP
TIL 1: How to Run Unsafe-Eval/remote code in Google Chrome MV3
Raw
text.md

Recently, in MV3, google supposedly outlawed running remote code in extensions. While it may be unsafe, there's also valid business reasons for wanting to.

Here's a few steps on how to do it currently, as of 2023-04-19.

  1. Create a sandbox html page, for executing arbitrary code.
  2. create a tab that acts as an intermediary between bgsw and the sandbox. Embed the iframe of sandbox in the tab.
  3. create a background service worker (bgsw) such that it creates the tab as an offscreen document. ( https://developer.chrome.com/docs/extensions/reference/offscreen/

Then, to run the code in the background.

  1. send chrome.runtime.message to tab
  2. tab then does a iframe.contentWindow.postMessage to sandbox
  3. sandbox evaluates the code, then does a window.postMessage back to tab
  4. tab takes the info and does a chrome.runtime.message back to bgsw
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment