Ensuring authenticity of sender in Chrome Extension message passing

Question

Creating a chrome extension involves the content script sending a message to the background script.

chrome.runtime.sendMessage({greeting: "hello"}, function(response) {
  console.log(response.farewell);
});

Upon receiving this message, background.js retrieves the sender information which includes

{ ID, tab, url }

The goal is to confirm that the message originated from the content script within the same extension and not any other source.

How can the sender ID be verified and how can background.js access the extension ID?

Answer 1

Answer №1

It is not necessary.

There are two specific occurrences related to messages:

chrome.runtime.onMessage - specifically designed for messages transmitted by your own extension. The sender helps determine the context, such as the tab ID.
chrome.runtime.onMessageExternal - exclusively used for messages coming from external sources, including other extensions or web pages. In this case, the sender will display either an extension ID or the URL of the relevant page.

Keep in mind that you have the option to restrict the potential senders of external messages in the manifest file using the externally_connectable attribute. By default, web pages are prohibited while all extensions are permitted.

Answer 2

It is not necessary.

There are two specific occurrences related to messages:

chrome.runtime.onMessage - specifically designed for messages transmitted by your own extension. The sender helps determine the context, such as the tab ID.
chrome.runtime.onMessageExternal - exclusively used for messages coming from external sources, including other extensions or web pages. In this case, the sender will display either an extension ID or the URL of the relevant page.

Keep in mind that you have the option to restrict the potential senders of external messages in the manifest file using the externally_connectable attribute. By default, web pages are prohibited while all extensions are permitted.