Keep in mind any network requests running from the script directly in the page will happily send your cookies, so this makes it trivial to gain unauthorized access to people's accounts. Any site you visit while running this extension can basically access your private data from every other site you happen to have a tab open for, and send requests impersonating you. It could also install a keyboard logger, etc.
yea your right, i have addressed this by moving the api from the window object to a dev tools panel page & options page of the extension so the website itself is no longer able to communicate to the service worker of the extension that is opening up the bridge to access all tabs
Also if for example somebody has written a window opener function in their site's code and made the mistake of naming it tabgod there might also be problems.
But from reading the description it says in all devtools consoles - so I had assumed it was only in devtools context that the function was available?
I know pretty much nothing about web extensions, but isn't it possible to add custom DevTools functions, like getEventListeners() or copy() in Chrome, without the page being accessed?
This seems very useful running a local first app in one of the tabs. Then using this, you can send requests to that app from anywhere and get your responses back where you requested from.
I once had to debug a sporadic problem in a prod system I wasn't familar with, which seemed to be caused by two requests made simultaneously by different users. I could have assembled curl commands but the easiest thing to reproduce and verify the issue was to run a setTimeout(clickSubmit, 5s) in both browser session's consoles. Weirdly niche use case, but something like this extension would've been useful.
I don't know of a reliable way of calling two separate curl commands at once though. Maybe abusing the shell job system, or learning the 'at' command. It has been a while since I've needed to do something like this.
Oh I don't know, I could see it being useful it it's possible to hook up with rtk-query or react-query, to prevent duplicate requests from multiple instances of an app that might be running.
Though I guess this might just trigger all the requests on all that tabs anyway. I suppose you'd have to add architecture to start one instance of that app as the 'controller' and then a way to pass off controller responsibilities to other tabs... which sounds like basically "step 2: draw the rest of the owl"
Since I just noticed this is an extension rather than a library, I think it's probably more useful for automating interactions with a number of tabs of the same page (but puppeteer or something similar would probably be a better fit for this also)
For user-driven automations, something like Tampermonkey would be way better (and safer, since they can be domain-limited).
I can think of no reason why a regular user would want to allow tabs to execute each other's code... that just seems like a setup for self-XSS attacks by people who don't know any better :(
---------
edit: Sorry, re: the second part of your comment, I misunderstood what you meant. Like if you wanted to purposely script multiple identical tabs at the same time.
It's a combination of chrome.runtime messaging api to establish a connection between the calling tab and the service worker and chrome.scripting api to actually execute on the target tabs. Tho you can only send json and not functions over the port so functions have to be stringified and the eval() on the tab main world. Since eval is not possible in extensions itself for good reason the only way is to do this on the tabs, so the tab filtering will also be done in a tab world and will respond the filtered tab ids back to the service worker.
- want to run custom JS from one tab in another often
- Wouldn't write their own extension to do it
But credit for OSSing your own tools :)