Manual password entry required about notscripts HOT 11 OPEN

If the password needs to be set only once and never needs to change, why can't 
a random string of characters used for the password? This password could be 
created when the extension is first enabled and it would then be stored with 
the rest of the extension's settings. Since settings get saved across extension 
updates, I think this would fix the problem of the password file getting reset 
on an update too.

Manual password entry is currently required because of the asynchronous nature 
of the Google Chrome extensions API and the requirement that we must have 
access to the encryption password right when a page loads. The portion of 
NotScripts that uses the encryption password is the content script and for a 
normal extension, it would use a chrome.extension.sendRequest(...) to retrieve 
the password and updated settings from the portion of the extension where it 
resides since content scripts are sandboxed from everything else. 

chrome.extension.sendRequest(...) is does not return the needed values until 
some portion of the scripts on a webpage have already run. The password file is 
loaded by the content script before it runs it's code because we state to do 
that always in the extension manifest. However, a Google Chrome extension does 
not have permission to write to disk directly and cannot self edit it's 
extension files. 

Apple Safari has a canLoad(...) function that returns immediately and is well 
suited to solve this problem. I'm hoping that Google allows canLoad(...) to 
slip into Webkit so I can simplify NotScripts. Until the, we will have to wait 
and see.

[deleted comment]

Please help resolve the password requirement issue by starring this Chromium 
bug report: 

http://code.google.com/p/chromium/issues/detail?id=54257

The path on Linux is incorrect for my machine (ubuntu). I had to uninstall the 
plugin to post this comment.

It seems that I found a solution to this issue. By using programmatic 
injection, I was able to provide the ENCRYPTION_KEY to the content scripts 
without declaring it in a file. Take a look at the attached diff.

It's not 100% perfect at the moment, since blockAfter.js is broken (and I 
didn't want to spend even more time unbreaking it). But as a proof of concept, 
it seems to be working nicely.

Just to clarify, the brokenness is related only to the fact that (at least for 
me right now), the content scripts declared as document_start seem to be run 
before the programmatic injection. So blockAfter.js is run before 
blockStart.js. But that's it, the whole thing still seems to run before the DOM 
is fully constructed, and before on-page scripts run.

I have looked through the NotScript source files and determined it would be 
easy for the author to allow for setting the password in the extension's 
LocalStorage.  It appears the author may not have known how to have content 
scripts communicate with the extension backend to make this possible, but then 
at some later point the author did figure out how to do this but never 
incorporated it into the password mechanism.

But a more fundamental flaw is that the password should not be required at all, 
as the reason it is required is to allow it to expose extension data to 
websites without the websites being able to read it (but they can easily delete 
it, on purpose or by accident).  I will post a separate issue about my findings.

The instructions do not include password configuration for Chromebook 
instllations of chrome, where OS access is quite likely limited for most users.

I like the cut of megazzt's jib; LocalStorage seems the way to go.

In the meantime, this extension appears unusable for the majority of Chromebook 
users.

I have Notscripts loaded on all my Chrome browsers, but I was very sad that it 
cannot run on my Chromebook.  I feel like I'm naked when I go to websites with 
all their scripts running...