by Dan Connolly <http://www.madmode.com/>
Share and Enjoy according to the terms of the MIT Open Source License.
For a scripted process that consumes exported Simple banking transactions, full account credentials (username and password) are more than is needed. Session credentials, which are revokeable and in fact revoked as a matter of course, are sufficient.
This Chrome Extension adds a page action to the Simple account activity page. Invoking the action brings up session credentials in JSON, suitable for copy-and-paste to scripted processes.
When you load the extension, you grant privileges in manifest.json to the extension.
- manifest.json says to grant to bg.js:
- onOnstalled via background: { scripts: ... }
- pageAction by page_action: { ... }
- webNavigation, activeTab, and
- cross-origin access to insert code into simple.com pages
In bg.js, we use webNavigation to listen to onCompleted events for the simple.com activity page. When we get such an event,
- We use activeTab.runScript to inject shareToken.js, which gets
- the dom of the simple activity page and
- a channel to listen for messages from the extension
- shareToken.js 1. injects a script that evaluates _token in the activity page scope and then 2. adds a message handler that sends the token to the requestor
- In bg.js, we use pageAction to show popup.html
- When the user clicks on the pageAction icon in the toolbar, popup.html gets
- DOM access to the popup,
- activeTab, cookies, and cross-origin access simple.com
popup.html loads the (powerless) creds.js module and runs popup.js, which attenuates its access a bit and then calls creds to handle page onLoaded by sending a "shareToken" message to the content page and display the response along with the _simple_session cookie.
I made some attempt to use object capability style by pushing use of ambient authority to the edges.