Resources / Extension Architecture

Content-script messaging

Bridge page ↔ content ↔ service worker without leaks or hangs.

Safety

  • No direct page eval; use the isolated world and avoid string eval.
  • Sanitize DOM reads; prefer semantic anchors over brittle selectors.
  • Structured clone only; cap payload sizes and strip functions.
  • Cap message rates; debounce/coalesce to protect runtime.

Contracts

  • Command/response shapes with IDs (type, requestId, payload, error).
  • Timeouts + cancellation with abort signals and clear error codes.
  • Idempotency keys for at-least-once delivery.
  • Versioned protocol and capability checks.

Streams

  • Use ports for long-running ops and bi-directional updates.
  • Backpressure: queue, drop, or coalesce—never unbounded buffers.
  • Heartbeat & liveness on long streams; auto-reconnect with jitter.
Messaging Patterns Security