Chrome Content script injection in MHTML files

Question

It seems the Chrome does not inject content script into local files that are of type MHTML. They might do this for security reason. They don't allow you to download files that have MHTML extension either. So that makes me suspicious.

My content script gets injected properly if the local file type is HTML.

Here is my manifest:

"content_scripts": [
    {
        "matches": [ "http://*/*", "https://*/*", "file://*/*", "<all_urls>" ],
        "run_at": "document_start",
        "js": [
            "js/contentscript.js"
        ]
    }
],

"permissions": [ "tabs", "http://*/*", "https://*/*"],

In the extension management page I also checked:

[x] Allow Access to file URLs

And finally the error I get:

test1.mhtml:1 Blocked script execution in 'file:///Users/test/Downloads/test1.mhtml' 
because the document's frame is sandboxed and the 'allow-scripts' permission is not set.

Is there anyway to work around this and get my script injected in .mhtl file?

Update: Here is a simple test extension that shows script injection and a test mhtml file. Make sure you check this check box in extension management page. [x] Allow Access to file URLs

Update 2: Found it. It is a chrome bug https://code.google.com/p/chromium/issues/detail?id=452901

Update 3: so it looks like that it works but chrome debugger just does not show the content script files in the UI when the file type is MHTML.

Hi, Did you look at the chrome code or you are guessing? Saving in MHTML requires a chrome flag. But opening one from file system just works. Downloading mhtml is blocked too. I was really hoping that injection of content script would just work. :-( Maybe not — David Dehghan, Sep 22 '15 at 09:27
Did you use the mhtml to extract data only or did you also interact with the page, e.g., fill out `input` elements? I can perfectly extract data from mhtml files, but I cannot fill out a form, neither manually nor via puppeteer. — Kim Kern, May 14 '20 at 15:07
This is really old but i remember that chrome team explicitly blocked running content script inside the mhtml pages. They said that was for security? are you saying that now you can inject content script into these mhtml pages? are you loading these from files? — David Dehghan, May 14 '20 at 22:44
It's slightly different in my case, as I am writing an e2e test with puppeteer (https://stackoverflow.com/q/61800030/4694994); no extension. I'm inserting the script by running `eval` on each frame of the page, attaching functions to `window`. Although the browser then logs that executing scripts is not allowed it still works. Thanks for getting back to me on such an old thread. :-) — Kim Kern, May 15 '20 at 08:56

wOxxOm · Accepted Answer · 2015-09-23T07:44:48.387

1

The content script is added via the standard declaration, for example:

"content_scripts": [
    {
        "matches": [ "<all_urls>" ],
        "run_at": "document_end",
        "js": ["content.js"]
    }
],

Notes:

it won't be shown in Chrome devtools -> Sources -> Content scripts panel which seems a bug.
MHTML has some restrictions so certain features may not work, use console.log everywhere.

edited Sep 23 '15 at 07:44

answered Sep 22 '15 at 09:37

wOxxOm

65,848
11
132
136

:-( I tired. but that didn't work. Nothing gets injected in the content script tab in chrome debugger. But @wOxxOm i have another question for you which I think the answer is all_frames=true however that one is not working either. Please take a look at this old question if you don't mind. http://stackoverflow.com/questions/11395168/chrome-extension-access-iframe-elements – David Dehghan Sep 22 '15 at 09:54
The content script IS injected, the debugger simply doesn't show it. – wOxxOm Sep 22 '15 at 11:22
hmm. I don't think so. Here I made a simple test. https://www.dropbox.com/s/71zz1jin90qjyfn/extension_permission_bug.zip?dl=0 – David Dehghan Sep 22 '15 at 19:18
@DavidDehghan, if use debugger and console.log at start of the script you would notice that all you have to do is simply remove `$(...)` wrapper because it never executes since your content script is injected at `document_end`. Actually `"all_frames": true` isn't needed. The entire problem was caused by the wrong use of `$()`. – wOxxOm Sep 22 '15 at 23:16
I want to shoot myself. :-( you are absolutely right. I lost 4-5hrs on this stupid thing. I can't thank yo enough for not giving up on this. – David Dehghan Sep 22 '15 at 23:56
Thanks again. I can get a pure JS script loaded. but as soon as I add jquery it starts to give me errors again. Also I get the same "Blocked script execution" from the bar.html. I read somewhere in the chrome bugs that mhtml was limited to only load top frame..... – David Dehghan Sep 23 '15 at 01:09
I see. jQuery must be doing something that's not supported inside mhtml. – wOxxOm Sep 23 '15 at 05:03
yeah. I think it is doing some eval or such. :-( I am going to have to get rid of the iframe and use a div as the bar instead. Many thanks. You save me a lot of frustration. :-) – David Dehghan Sep 23 '15 at 05:19

Chrome Content script injection in MHTML files

1 Answers1