0

I'm working on a Chrome extension and it's almost done. It uses CryptoJS, though, and I was wondering if it's okay to have those files (eg sha1.js) inside the extension package when I publish it (I downloaded CryptoJS and copied the SHA script file into the extension directory.)

The alternative of course would be to include the URL in the script tag but that didn't work right off the bat.

Any help would be appreciated.

Michael
  • 3
  • 3

3 Answers3

1

I've done this, but only tested on my dev machine, not publishing to the Chrome Web Store. You just have to include it in your manifest.json file:

{
...
    "background": {
        "scripts": [
            "cryptojs.js",
            "main.js"]
}
...
}
raduation
  • 792
  • 5
  • 11
1

There are pros and cons. Mostly pros.

  • A local file will load faster - disk latency is lower than network latency.
  • A local file will ensure your extension works offline / in poor connectivity.
  • A local file is more reliable in case CDN has problems.
  • A local file enjoys additional protection (at least on Windows/Mac platforms), as CWS will generate checksums for all files and a store-installed extension will be stopped from loading if the files are tampered with.
  • A local file is safe from network MITM attacks.
  • A local file is frozen at a particular version - you don't run the risk of a library updating and breaking compatibility.
  • Using external code in main extension code (not content scripts) requires a modification of CSP and a HTTPS-enabled CDN (for the MITM-attack reason).
  • Using external code in content scripts may require additional permissions (depending on the CDN's CORS configuration)

However, it will be up to you to keep the library updated.

  • If there is a critical bug/exploit in the library, a CDN-served file (if it points to "latest" version) can be silently updated to mitigate that. In case of a local file, you need to learn about the update and apply it yourself.
  • A local file cannot be updated without publishing a new version to CWS. An externally-hosted file can be updated independently.
Xan
  • 74,770
  • 16
  • 179
  • 206
  • Thanks for that, I didn't really think to consider performance factors. Legally though, is it okay to include a CryptoJS file in the extension package? Is there something I need to declare somewhere before I publish the extension? – Michael Aug 25 '15 at 05:05
  • Depends on the license of CryptoJS and your program. – Xan Aug 25 '15 at 06:19
0

If anyone want to use manifest 3, it can be only one service worker registered in the manifest:

"background": {
        "service_worker": "background.js"
    }

in the background.js (service worker), other libs can be imported as follow:

try {
    importScripts("/node_modules/crypto-js/crypto-js.js");
} catch (e) {
    console.error(e);
}
Abilogos
  • 4,777
  • 2
  • 19
  • 39