Should I expect any issues if I want to communicate between a secure (https) Website and a chrome extension?

Question

I have a chrome extension that currently communicates with a website over http, what would be the difficulties/problems that could occur if I switch my website to be https.

Communication is done using this method (chrome.runtime.sendMessage) https://developer.chrome.com/extensions/messaging#external-webpage

And I also pull some Iframe pages from the website

Answer 1

As far as chrome.runtime messaging goes, Chrome does not care, as long as you have permissions.

And that might be your problem if you specified your match patterns as "http://example.com/*" instead of "*://example.com/*". Adding a permission for HTTPS if it wasn't there before may trigger a new permission warning, which is.. unpleasant.

Triggering a new permission warning for an already-deployed extension means that the extension is automatically disabled after the update.

The user is then presented with a popup explaining that the extension was disabled due to requesting more permissions that it had, and requesting the user to review them (or leave the extension disabled). You run the risk of users deciding not to bother, or misunderstand this warning and think it's malware / complain.

Fortunately, "externally_connectable" match patterns do not trigger warnings - because such connections always have to be initiated by the page. If, however, you are also using a permission to do XHR, or a match pattern to inject a content script - the above applies.

You could potentially employ optional permissions to avoid this scenario, but that's a complicated way.