Using runtime.sendMessage API from webpages

toygar-murat · March 14, 2019, 2:59pm

I am currently migrating a chrome extension to firefox by using mozilla’s webextension-polyfill library. The problem is that firefox addons cannot communicate with webpages using runtime.message API. In chrome, one can specify externally_connectable URL’s and send message to background script’s listener.

When I look up the docs&forums for an alternative, the suggested way is to send a window message from webpage and listening it from the content scripts. However, even mozilla docs discourage this implementation. (source: https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage#Using_window.postMessage_in_extensions)

Moreover, we also need to return the result of background message listener to the webpage. With window.sendMessage API doing this is not so inspiring. Chrome does this by sending response to the callback function which is a parameter of runtime.sendMessage.(callbacks are also not inspiring )

Is there any other way to communicate with a specified webpage from addon or is there any plan of adding webpage messaging support to addons?

freaktechnik · March 14, 2019, 3:10pm

You could of course have a dedicated API your extension could use (think rest/websocket) - however authenticating that it is actually your extension has similar issues like postMessage.

You can find the bug to implement externally_connectable at https://bugzilla.mozilla.org/show_bug.cgi?id=1319168

toygar-murat · March 14, 2019, 4:25pm

Hi Martin,

I actually didn’t quite get what you mean. What do you mean by having a dedicated API? Should I write a simple messaging API based on window.postMessage? I also didn’t get the authentication part.

freaktechnik · March 14, 2019, 4:29pm

I meant having a “server side API” - but as I said, this is mostly as reliable as having a postMessage communication protocol. The problem is to verify authenticity, thus authentication.

toygar-murat · March 14, 2019, 5:43pm

I have a server side API and can authenticate to it through extension. But a communication between extension and webpage through a server brings to much latency and complexity. I do not want that if it is possible.

Also, I look over for the bug that you quoted and try to exploit it. However, the global browser variable is only accessible from extension side, my webpage script cannot access it. Therefore I cant even call, browser.runtime.sendMessage from the webpage.

freaktechnik · March 14, 2019, 5:59pm

The bug I linked is specifically to add the API you’re asking about. So yes, nothing to use yet.

toygar-murat · March 14, 2019, 7:46pm

According to the comment above this bug might be unlikely to resolve

juraj.masiar · March 15, 2019, 8:48am

Regarding the window.postMessage - the issue here is only if you would transfer some sensitive data or if your API would allow to perform some “dangerous” operations. But if this is used only for some basic communication, like setting a label name or registering button click, I would say it’s a good solution.