Browser Extension
Browser extensions provide a secure environment for identity management with protection against web-based attacks through script isolation.
Security Model
| Feature | Description |
|---|---|
| Isolated Context | Background script runs in isolated environment |
| XSS Protection | Website compromises cannot access extension storage |
| Browser Encryption | Chrome Storage API provides encrypted persistence |
| CSP Enforcement | Content Security Policy prevents injection attacks |
| Same-Origin Bypass | Extension context bypasses same-origin restrictions |
Architecture Overview
Installation
Manifest Configuration
Manifest V3 (Chrome)
Firefox (Manifest V2/V3)
Background Script Setup
The background script is the core of your extension, running the SDK in an isolated context.
Content Script for HSM Bridge
The content script handles HSM UI operations that require user interaction.
Popup UI
Web Page Communication
Communicate with web pages to handle credential offers:
Offscreen Document (Persistent Background)
For operations requiring persistent background processing in Manifest V3:
Build Configuration
Webpack
Vite
Testing
Load Unpacked Extension
- Build your extension: npm run build
- Open Chrome and navigate to chrome://extensions
- Enable "Developer mode"
- Click "Load unpacked" and select your dist folder
Debug Background Script
- On chrome://extensions, find your extension
- Click "service worker" link to open DevTools
- Set breakpoints and inspect state
Troubleshooting
Service Worker Stops
Manifest V3 service workers can be terminated. Persist state in Chrome Storage:
CORS Issues
Use the background script for all API calls to bypass CORS:
Next Steps
- Authentication Guide
- Zero-Knowledge Proofs
- API Reference