MV3-ready, stronger relays, on-demand “controlled” banner, and first-class Focus.
Added

focus handler (new): brings the targeted tab to the foreground and re-broadcasts a tabStatus.
Unique tabKey mapping: non-destructive reassignment (the old tab remains open but loses its key).
“Raw types” admin bridge: accepts direct domType, domClick, focus... normalized on the content side.
Demo protocols & helpers: strict RTO_REQUEST/RTO_RESPONSE detection, listTabs/tabStatus, and window.RTO utilities (read mutex, Google/YouTube aliases).


Changed

tabStatus now always includes tabKey (attach/detach, close, unregister).
getHtml patched: property-aware immediate response with truncation (~5,000 chars) and preserved requestId.
Allowlist normalization: merges allowedDomains + legacy inheritance; de-duplicates and supports “apex” wildcards.


Fixes & Resilience

Robust relays: background timeout now triggers automatic content.js reinjection (all frames), then retry.
Per-host queue: suspended actions resume after ALLOWLIST_ADD (apex/wildcard management).


Security & UX

HTTPS-only, no file:/javascript:; LAN/localhost restricted by dedicated flags.
Sensitive-field reads blocked + sanitized outerHTML (remove value, add data-redacted).
“Controlled by RTO” banner available on demand only; can be minimized into a movable pill, with position persisted via window.name and mirrored to background; ALLOWLIST_NEEDED toasts.


Demos & Examples

Google → YouTube flow: open/read the first result, then smart navigation to YouTube (main or “extras” tab).
Remote form (DTI): focus/type, selectSetValue, highlight, submit, and sequential reads via a mutexed getHtml.


Upgrade Notes

Replace background_core.js, content.js, content_master.js (no data migration).
Event consumers should wait for tabStatus with an existing tabKey.
Public documentation remains compatible (v7.9.3); the new focus action and “raw types” bridge integrate without breaking changes.


— End of v7.10.1 —

Remote Tab Opener — 2025-10-25

Admin demo flow finalized (Steps 1–10), UX/state sync refined, and internal consistency with background/content preserved.
Added and demonstration improvements for the full working E2E demo page

Step 10 — Close tab: explicit close action; UI auto-scrolls back to Step 1 and resets states.
Live section toggle: #demo_open hides/shows based on tab open state.
Source-code accordion (optional, docs): quick links to per-step scripts with explanations.


Changed

Button states: Step 1 primary button reflects lifecycle (Open → Opened → Refreshed → Closed) with colors, and re-enables after actions.
Router pattern: actions bound via data-action, each step isolated in its own file (e.g., demo_lorem_open.js, demo_lorem_submit.js).
Reads & alerts: Steps 5–9 show compact alert() summaries (name/note, results, password-read blocked message, etc.).


Fixed

Checkbox/radio mirroring (Step 7): copy exact state instead of toggling; buttons no longer remain disabled after completion.
Submit + focus (Step 8): ensures form submission triggers and remote tab gets focus.
Open-state on reload: on admin page reload, Step 1 button reflects current remote tab status.


Docs & Demo

Clarified scope/safety in “What does E2E mean with RTO?” block.
Consolidated examples: allowlist (Step 1b) and favorites (Step 1c) fully wired (add/check/show/remove).
Deprecated admin.js in favor of demo_master.js + per-step scripts.


— End of v7.9.3 —

Reliability & UX safety pass: single controlled tab, robust allowlist handling, visible control banner, and new safe style actions.
Added
Control banner (controlled tabs only): persistent thin orange banner at the very top, with a blinking red dot and a dismiss action that minimizes it to a top-right chip. Survives open, navigate, and in-tab browsing. Cannot be hidden/overridden by page CSS/JS.
New safe actions in content.js:
domSetStyle — whitelisted CSS properties applied with !important (plus a robust fallback).
highlight — temporary halo (outline + soft background + box-shadow) with customizable color/duration.
selectSetValue — safely changes <select> value and dispatches input/change.
Admin bridge normalization: accepts {type:"command" | "RTO_COMMAND"} and common aliases (domClick→click, domType→setValue, etc.).
Read pipeline: getHtml now posts a unified getHtmlResult message (outerHTML / innerHTML / textContent / innerText / value) with sensitive-field protection.
Maintenance hook: injectContentScript message to re-inject the content script on an existing controlled tab.
Changed
Allowlist semantics: storage entries now support canonical https origins by default (e.g., https://example.org) while wildcards (e.g., .example.) stay host-based. Background consistently normalizes and checks against origins/hosts.
Master/controlled tab policy: the background will never “steal” the master tab. If the controlled tab equals the master, open automatically forces newTab:true.
Adoption rules: on tab activation, adopt only when no controlled tab exists and the host is allowed (prevents unintended control switches).
Banner UX: minimized state placed top-right (to avoid overlapping hamburger menus); slim height; orange gradient restored.
Fixed
Single controlled tab: repeated open calls re-use the existing controlled tab when alive (unless newTab:true is set).
“Domain not allowed” prompt targeting: prompt appears only on non-allowed controlled tabs (no prompt on the admin/master page or already-allowed domains).
Style actions visibility: specificity ensured via style.setProperty(..., "important") plus safe fallback, improving reliability on heavy CSS sites.
getHtml property reads: returns the requested property (no unintended outerHTML for form fields). Timeouts mitigated by observeElement and injectContentScript re-injection path.
Bridge echo: messages from the admin page are no longer echoed back as admin-origin, preventing handler confusion during reads.
Security & Privacy
HTTPS-only; still blocks file://, javascript:, and LAN ranges.
Sensitive field protection unchanged (password/hidden/credit-card/IBAN/SSN patterns).
Legacy runJs path remains extension-side only; page messages are limited to the safe action set.
Upgrade notes
After reloading the admin page, declare it again via setMasterTab then open (or ad

Remote Tab Opener — 2025-10-21

Option 2 rollout: safe DOM actions on whitelisted sites, silent search‑engine allowlist seeding, manifest fix, and UX polish.
Added

Safe named DOM actions bridge (no arbitrary code) via type:"command": getHtml, setValue, click, focusElement, submit. Forwarded by background only if current tab host is allowed.
SE_HOSTS silent seeding in content.js: pre‑adds major search engines to the allowlist once (ALLOWLIST_ADD), keeping policyDefault = deny.
User prompt UI refined in content_master.js: host chip, validation, double‑click guard, Chrome/Firefox API alias.
Demo UX: Google open button now two‑phase success (stop blinking early; then confirm Google URL).


Changed

background_core.js: DEBUG_FORCE_ALLOW = false by default; host allowlist strictly enforced for named DOM actions.
content.js: relays command only for the approved action set; rejects anything else.
manifest.json: fixed duplicate keys; added content_master.js as a content script; optional webRequest/webRequestBlocking permissions for WRB (Firefox MV2).


Security & Privacy

HTTPS‑only; blocks file://, javascript:, and LAN ranges.
Sensitive fields protected: never return password/hidden values; sanitized outerHTML removes value attributes on inputs/textarea.
Allowlist gating: named DOM actions execute only on whitelisted hosts (storage or static fallback).


Compatibility

MV2 (Firefox/Chromium) with tabs.executeScript retained for legacy runJs path (extension‑side only).
content_master.js loads at document_idle; content.js at document_start.


Upgrade notes

Update files: background_core.js, content.js, content_master.js, manifest.json.
No migration of user data. First run will seed search engines and keep policy as deny.
Recommended allowlist for demo: *.google.*, www.bing.com, duckduckgo.com, search.brave.com, www.qwant.com, www.startpage.com, www.ecosia.org, search.yahoo.com.


— End of v7.9.1 —

Security

Sensitive-field hard block : interdit la lecture des <input type="password">, type="hidden", et des champs détectés par name/id/autocomplete (password / credit-card / IBAN / SSN).
Sanitized serialization : outerHTML supprime la valeur value des inputs/textarea et marque les mots de passe via data-redacted="true".
Surface page → extension réduite : côté page, postMessage ne relaie que focus / focusByUrl / focusByPrefix / navigate.


Added

Unlimited HTML fragment extraction (ethical mode) : getHtml supporte outerHTML, innerHTML, textContent, innerText, value (avec garde-fous), inter-domaines.
All-frames coverage : injection programmatique avec { allFrames: true } pour atteindre les iframes (selon autorisations d’hôte).
Visual focus API : focus, focusByUrl, focusByPrefix activent de façon fiable l’onglet et la fenêtre.


Changed

Robust result relay : getHtmlResult renvoyé à l’UI en succès comme en erreur (statuts/messages explicites).
Navigate flow : ré-injection de content.js après tabs.update (toutes frames), puis restauration du focus.


Fixed

Race sur DOM ready : l’observateur d’élément attend document.readyState === "complete" avant de résoudre.
Erreurs de sélecteur : timeouts plus clairs (Element not found after timeout: <selector>).
URL allowlist : échappement RegExp correct pour les domaines personnalisés ; fiabilité accrue.


Performance

Clonage léger pour la sanitization ; aucune dépendance externe.
Pas d’auto-injection globale : empreinte minimale tant qu’aucune action n’est demandée.


Compatibility

Manifest : inchangé (MV2). Permissions : tabs, activeTab, storage, <all_urls>.
APIs : runJs, setValue, click, submit, getTitle conservées. setValue bloque désormais les cibles sensibles.


Upgrade notes

Aucune étape de migration.
Les lectures sur champs sensibles renvoient désormais { status:"error", error:"Access to sensitive field is blocked" }.


Security

Sensitive-field hard block: denies reads on <input type="password">, type="hidden", and fields flagged by name/id/autocomplete (password/credit-card/IBAN/SSN).

Sanitized serialization: outerHTML now strips live value on inputs/textarea and tags password fields as data-redacted="true".

Reduced page → extension surface: page postMessage only whitelists focus|focusByUrl|focusByPrefix|navigate (no DOM extraction from web context).

Added

Unlimited HTML fragment extraction (ethical mode): getHtml supports outerHTML|innerHTML|textContent|innerText|value with guards, cross-domain.

All-frames coverage: programmatic injection uses { allFrames: true } to reach cross-origin iframes when host access permits.

Visual focus API: focus, focusByUrl, focusByPrefix reliably activate tab and window.

Changed

Robust result relay: getHtmlResult forwarded to UI both on success and error (with explicit status/messages).

Navigate flow: re-injects content.js after tabs.update completes (all frames), then restores focus.

Fixed

Race on DOM ready: element observer waits for document.readyState === "complete" before resolving.

Selector errors: clearer timeouts (Element not found after timeout: <selector>).

URL allowlist: RegExp escaping for custom domains; unchanged policy, better reliability.

Performance

Lightweight cloning for sanitization; no external deps.

No global auto-inject: keeps footprint minimal unless commanded.

Compatibility

Manifest: unchanged (MV2). Permissions remain: tabs, activeTab, storage, <all_urls>.

APIs: runJs, setValue, click, submit, getTitle retained. setValue now blocks sensitive targets.

Upgrade notes

No migration steps required.

If you previously relied on reading password/hidden fields, calls now return status:"error" with "Access to sensitive field is blocked".

The plug-in will become spinned into the toolbar

This version allows to focus the target cross-domain window. No other update.

A small display bug :)

📦 Version 7.6 – Enhanced Security & Stability



✅ Strict URL filtering: only https:// pages are allowed.

🔒 Blocked unsafe protocols: ftp://, file://, javascript: and private/local addresses (like localhost, 192.168.x.x, etc.) are now denied.

🧠 Custom domain control: users can define allowed domains; if empty, all HTTPS sites are permitted.

⚙️ Code improvements: cleaner structure, safer logic for tab control and script injection.


Security improvements

Bugs solved and improvements

Supports javascript remote to the Remoted Tab