What: The BlueConic Chrome Extension allows you to log in to a BlueConic server and work with websites, even if these websites do not have the BlueConic script or refuse to be inlined in the BlueConic dialogue editor, visual picker, or simulator.
Why: Working with your website in BlueConic requires you to place the BlueConic script on your pages. The extension allows you to work with your website while you are waiting for the script to be placed. Some websites refuse to be inlined in the BlueConic dialogue editor, visual picker, or simulator; the extension allows you to circumvent this problem and allows you to work with the website like any other website.
Get the latest version of the BlueConic Chrome Extension
The BlueConic Chrome Extension can be installed from the Chrome Web Store for free, or downloaded right in the BlueConic environment during your first login. Log in to your BlueConic server and the extension will sandbox any website of the BlueConic server without the need to place the BlueConic script on that site. The sandboxed website will run all Listeners and Dialogues from the connected BlueConic environment.
Any website can be sandboxed with the BlueConic Extension active:
Websites in your BlueConic channels without the BlueConic script will have the script for your server inserted.
Websites that already contain a BlueConic script will have it replaced by a script inserted by the extension. This means that the original BlueConic listeners and dialogues will not be run. Instead, the listeners and dialogues of the BlueConic server you logged in to will be executed - provided the website is in your BlueConic channels.
This makes the BlueConic Extension an invaluable tool for developing and testing BlueConic listeners and dialogues.
Installing the BlueConic Chrome Extension
You can download the BlueConic extension during your initial login to your BlueConic environment, or visit the Chrome Web Store. Once installed, the BlueConic extension will be active for all channels of the BlueConic server that you are logged into. The extension can be disabled and re-enabled by clicking on the icon and the Enable/Disable checkbox.
The BlueConic Chrome Extension is an extension like any other. To maintain it, you can open chrome://extensions. Here you can allow the extension to also be active in incognito mode, or you can disable or even remove the extension.
How does the BlueConic Chrome Extension work?
The BlueConic platform, when used on websites, is activated on a website using a JavaScript tag. There are limitations to what an inlined JavaScript script tag can achieve in a browser. The BlueConic Chrome extension is designed to extend the capabilities of the BlueConic platform in the browser by working in concert with the platform.
The following sections describe how the BlueConic Chrome extension does its work.
Connecting to the tenant
Challenge
When the BlueConic script is not (yet) installed on a website (or points to another BlueConic tenant), the extension should inject the BlueConic script on website pages that are part of your BlueConic channels, so BlueConic users can test the usage or setup of BlueConic without a script.
Solution
When a user logs in to BlueConic, the platform sets a cookie named “amdatu_token”. The creation of this cookie triggers the extension to:
Pick up the hostname of the BlueConic tenant that was logged in.
Use the BlueConic REST API and the authentication information in the “amdatu_token” to connect to the tenant, request all hostnames in your BlueConic channels, and register them as belonging with the hostname.
The extension repeats step 2 every couple of minutes, to account for possible changes in the BlueConic tenant. This can happen for multiple BlueConic tenants, each with their own channels.
If a user signs out of BlueConic, the “amdatu_token” cookie is removed. This triggers the extension to delete the hostname and its registered channels.
The BlueConic extension is only active for users who are logged in to a BlueConic tenant and for websites that are in the channels of that tenant.
Script insertion
Challenge
Users sometimes don’t see BlueConic dialogues appear on the website. There could be myriad reasons for this, one of which is that the website is part of your BlueConic channels, but the script is not (yet) installed on the website, or pointing at another BlueConic tenant.
Solution
The BlueConic Chrome extension keeps an eye on the URLs of pages that are being requested in tabs and iframes. If the user is logged in to a tenant and visits a website that is in that tenant's channels, the extension inserts a BlueConic JavaScript tag in that page.
Note that this might end up inserting a second script tag if there already was one embedded in the page. Loading the BlueConic script twice on a page is prohibited, because it will result in anomalies. The extension monitors the BlueConic script requests from the page and blocks these. It injects the BlueConic script of the intended tenant.
Original script is blocked.
Script for intended tenant script being requested instead of original (notice the source=blueconic-browser-extension).
So now, a user can add a website to their BlueConic tenant's channels, and in their browser the extension would automatically add the BlueConic script for their tenant to the website, even if the script is not installed yet.
Since the extension is now involved in inserting the script, it can also signal its state to the editor. This is done by the changing color of the icon from grey to blue.
If the BlueConic Chrome extension is active on a website, its icon will turn from grey to blue. The status message updates and the BlueConic environment are displayed, as well as the current BlueConic Profile ID.
Inlining
Challenge
The BlueConic platform UI is a website itself. Elements such as the editor, visual picker, or simulator are webpages that either inline the target website or trigger JavaScript on it to render overlays. Browser security severely restricts what is possible when one website interacts with another.
Web security headers can prevent websites from being loaded into iframes.
Content security policies can prevent resources from being loaded into websites.
Solution
The BlueConic Chrome extension scans for requests to be loaded into tabs or iframes. It matches the URLs to the hostnames in the channels it learned when the user logged in. These requests are inspected for security headers that prohibit inline framing, including:
X-Frame-Options
Frame-Option
X-Content-Security-Policy
Content-Security-Policy
These headers are then removed for requests where the extension is active (i.e. only for websites configured in BlueConic itself), allowing the BlueConic platform to inline the website in the editor.
Security considerations
The BlueConic Chrome extension will only perform its functions for users who are logged in to a BlueConic tenant and for websites that are in the that tenant's channels.
The BlueConic Chrome extension is intended to work completely autonomously and ad-hoc in the user's browser. It uses GET REST API calls to retrieve website channel information from the tenant, but it never shares or logs information about the user or web visits.
The BlueConic Chrome extension needs the following browser permissions to function:
alarms: Required to signal the need to update a tenant configuration.
cookies: Required to detect tenant cookies.
tabs: Required to get notifications of requests in tabs or iframes.
idle: Required to detect user inactivity.
storage: Required to store the “enabled” setting.
webRequest: Required to detect and intercept response headers of requests.
declarativeNetRequest: Required to block and modify network requests.
scripting: Required to inject scripts into pages.
host: Required to inject scripts into pages.
Affect of the Chrome Extension on user inactivity logouts
BlueConic site administrators can enforce automatic user logouts based on a period of inactivity. Using the BlueConic Chrome Extension impacts the inactivity timeout setting, because the Chrome Extension triggers a Chrome request every minute to keep track of registered channels and inject the BlueConic script. This behavior may extend the user session because of these requests, and delay or prevent an inactivity timeout.