Can an object URL passed from a page script to a content script to the background script be used to load a local resource into an extension page? The page script is in a local HTML page opened in the browser by the user.
For example, can an image’s source in an extension page be set to src = blob:null/b868af4b-8f10-4005-9b6f-6a500cba2b27 if it points to a local file?
After some additional experimenting, it appears that the answer is no; however, …
In my current set up, the same-origin preference for file URIs is relaxed such that a local HTML page can fetch local resources. Under this setting, the object URL cannot be loaded by the extension page; and I couldn’t get it to work by altering the content security policy in the extension manifest for ‘object-src’, but I think you should be able to.
However, after the fetch response is converted to a blob(), instead of creating an object URL for it to pass, pass the blob and convert to a URL later in the process, and the image can be loaded into the extension page. I don’t know the impact this has on RAM usage, yet, or if the blob is actually passed or just a reference to it. If only a reference is passed, then, perhaps, there is no difference in RAM usage between the two methods. I converted the blob to a URL to use as the image source after it was passed to the extension page’s content script; I do not know if it could be converted to a URL in the content script and then passed to the background script to be used as a source in the extension page.
A question that arises is why is it a security violation to pass an object URL of an image to an extension page, but the blob from which that URL is created can be passed and loaded without an issue.
I’m not implying that the rules are applied wrong; I just don’t understand them. The circumstances to accomplish each are the same in the content script and page script.
That brings up a concern of is this going to be the case ongoing such that I can rely on this in building out the rest of this extension tool. How can I get an answer to that question?
I learned a little more the past few days and thought I should add it here. It’s really old news but was new to me.
If the content_security_policy permission is set to
object-src 'self' blob: then blobs of local file types other than image can be passed to extension pages and displayed also. I read that in MDN documents CSP and CSP object-src but could not get the right syntax until read a five-year-old post elsewhere; so, I assume my concern about whether or not this will continue was unnecessary.