I'm developing an extension which will perform a certain action on all Google search URLs - but not on other websites or Google pages. In natural language the match pattern is:
'*://'
)'www'
or ''
)'google'
'.com'
) and multi-part country TLDs (e.g. '.co.uk'
)'/search?'
Many people say 'to match all google search pages use "*://*.google.com/search?*"
but this is patently untrue as it will not match national TLDs like google.co.uk.
Thus the following code does not work at all:
chrome.webRequest.onBeforeRequest.addListener(
function(details) {
alert('This never happens');
}, {
urls: [
"*://*.google.*/search?*",
"*://google.*/search?*",
],
types: ["main_frame"]
},
["blocking"]
);
Using "*://*.google.com/search?*"
as the match pattern does work, but I fear I would need a list of every single Google localisation for that to be an effective strategy.
Unfortunately, match patterns do not allow wildcards for TLDs for security reasons.
You cannot use wildcard match patterns like
http://google.*/*
to match TLDs (likehttp://google.es
andhttp://google.fr
) due to the complexity of actually restricting such a match to only the desired domains.For the example of
http://google.*/*
, the Google domains would be matched, but so wouldhttp://google.someotherdomain.com
. Additionally, many sites do not own all of the TLDs for their domain. For an example, assume you want to usehttp://example.*/*
to matchhttp://example.com
andhttp://example.es
, buthttp://example.net
is a hostile site. If your extension has a bug, the hostile site could potentially attack your extension in order to get access to your extension's increased privileges.You should explicitly enumerate the TLDs that you wish to run your extension on.
A slightly unrealistic option would be to list all variants with all national TLDs.
Edit: thanks to an incredibly helpful comment by rsanchez, here's an up to date list of all Google domain variants which makes this approach viable.
A realistic option is to inject into a larger set of pages (for instance, all pages), then analyze the URL (with a regexp, for example) and only execute if it matches the pattern you are looking for. Yes, it will be a scarier permissions warning, and you will have to explain it to your users.