Improvements to messaging article.

[jpmedley]

@dotproto, I realized this morning that I needed to understand messaging better. If I'm reading something, the cost of improving it is marginal. I made some V3-specific updates to this article. You can find them at lines 27, 33, 43, and 274. Please ignore the other stuff. I'll ask @AmySteam to do a proper copy edit before I merge.

Staged link
Message passing

[netlify]

✅ Deploy Preview for developer-chrome-com ready!

Name	Link
🔨 Latest commit	9b71a63
🔍 Latest deploy log	https://app.netlify.com/sites/developer-chrome-com/deploys/638a2291a80bee0008f4888b
😎 Deploy Preview	https://deploy-preview-4275--developer-chrome-com.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site settings.

[dotproto]

This section is a bit odd now because of CSP changes in Manifest V3. Ian is working on #3837 to update our CSP docs, but the short version is that Chrome has a minimum CSP for extension contexts that does not allow developers to call eval() or new Function(). For reference, the minimum CSP is script-src 'self' 'wasm-unsafe-eval'; object-src 'self';.

It may be best to use a slightly different approach for this section. Since cross-site scripting isn't as much a concern, we could lean into "cross-site attacks," where a compromised render could use the message channel to send the extension messages in order to extract data or make the extension do something dangerous.

Cross-site scripting is still a concern for content scripts. This is another method by which a content script could potentially be hijacked into sending dangerous messages back to the extension.

[jpmedley]

I'm going to remove the new text so that we can merge this. I'll circle back when I have more information.

[AmySteam]

@jpmedley Good improvements.

Since you are making this article MV3 compatible, can you change the mention of background pages to extension service worker?

For example, an RSS reader extension might use content scripts to detect the presence of an RSS feed on a page, then notify the background page in order to display a page action icon for that page.

This sentence mentions a background page and a page action. Both are not supported in MV3.

[jpmedley]

@dotproto, I've removed the bit about eval() et al, restoring the original text until I can do more research. That way we can merge this PR.

PTAL

[AmySteam]

LGTM 👍 I just have some small change requests. Thanks!

[jpmedley]

@AmySteam Thank you for the review. Are there any fact that you think @dotproto needs to verify before we merge this?

[AmySteam]

@jpmedley Nope, I think this can be merged as is 👍

[tophf]

This is invalid JS syntax.

[tophf]

This is invalid JS syntax.

[jpmedley]

Thank you for your feedback. We had an off day there.

See #4518

[tophf]

Fixing the snippets is a little tricky because you need to show a complete async function, otherwise people who only learn JS will waste time (probably) a lot.

The first snippet:

(async () => {
  const response = await chrome.runtime.sendMessage({greeting: "hello"});
  // do something with response here, not outside the function
  console.log(response);
})();

The second snippet should be rewritten:

(async () => {
  const [tab] = await chrome.tabs.query({active: true, lastFocusedWindow: true});
  const response = await chrome.tabs.sendMessage(tab.id, {greeting: "hello"});
  // do something with response here, not outside the function
  console.log(response);
})();

Generally you should convert all function declarations to await as shown above or to arrow functions - it is important in modern frameworks that need this to be bound to the app instance also inside the API callback.

Also make sure to at least verify each JS snippet you modify or add in devtools console, especially if JS is not your forte.

[jpmedley]

We know that. I had an off day.