WebExtensions : POSTing to new tab

Klopolitoy · August 25, 2017, 4:36pm

Hi,

A reviewer blocked our submission for this code, that we used for ages but seems not OK now :

chrome.tabs.create({ url: 'http://our.website.com/plugin.html'}, function(tab) {
	chrome.tabs.executeScript(tab.id, {code: "document.getElementById('url').value = " + JSON.stringify(postData) + "; document.getElementById('form').submit();"}, function(res) {
		if (chrome.runtime.lastError) { 
			//console.log(chrome.runtime.lastError)
		}
	});
}

Our extension allows users to send some links they selected / right click on to our website, where those links are processed. Sometimes our users will select a lot of links, so the query parameters are not enough and we need to POST the data to the new tab.
How can we do that without this modify-the-DOM-then-submit trick ? Couldn’t find anything in the docs or SO.

As a last resort, we could transmit by internal messaging the links to our website, as we have implemented website-to-extension communications in our last update, but the reviewer motivated this decision with a need for transparency for the user, and I don’t really think internal messaging is more transparent that POSTing the data.

Any idea ? Thanks

NilkasG · August 25, 2017, 7:35pm

Well, since eval(JSON.stringify(anyValue)) is to a security risk in itself because whats being evaled is know to be JSON, I don’t see the problem either. What you do is not very efficient, but that is it.

If it makes the reviewer happy, you can use XHR or fetch instead (which even works without your page open).

need for transparency for the user

Most users don’t know the difference between WiFi and “Internet”, and certainly won’t be looking at your code.
IMHO the best you can do is structure your code clearly and ensure the users that other programmers would raise a flag if your software misbehaved.