Sending email from Chrome extension

Question

I do not want the user to have to perform or confirm any actions, as it would disrupt the general idea. In other words, mailto is out of the question.

Is it possible to send emails client-sided via JavaScript, from a Chrome extension, without disrupting the user's experience or adding any JavaScript extension? If so how?

I get the feeling this is going to be impossible.

I've learnt that there is a chrome.sockets.tcp API that may be useable, any idea how?

Answer 1

To send an e-mail, a program needs to connect via TCP to an SMTP server and talk to it according to the SMTP protocol .

1. It is not possible to send an e-mail directly using JavaScript / HTML5 APIs.

A browser does not expose the capability to directly communicate with a TCP socket.

While you can initiate a connection to any port in principle, the browser will "do the talking" and it does not "speak" SMTP. It can do HTTP, it can do WebSockets, but not the protocol you want.

2. It's not possible to send an e-mail directly from a Chrome extension .

While the Chrome extension APIs augment functionality offered by web APIs, they still don't offer you the chance to "do the talking" to a server.

3. It is possible, but not easy, to send an e-mail directly from a Chrome app .

Chrome Apps APIs are different from extensions, but more importantly they include raw access to TCP sockets, via chrome.sockets.tcp API .

Note the words "raw access". You will have to implement your own mail client from scratch in JavaScript. This might be a starting point.

Depending on what you want to achieve, a Chrome app can be an acceptable solution. Alternatively, if you need both extension and app APIs, you can create both and pass messages between them.

4. Anything is possible with a Native Messaging host .

Being basically a native application, you can do anything from a native host app. Chrome extension/app will then be able to call it with necessary data.

However, this will limit your deployment options if you decide to publish the extension; you will have to worry about portability, and the native host cannot be uploaded to the Web Store; you would need a separate installer.

And your messaging host will still need to implement your own SMTP client, though you have a much more broad choice of ready libraries for that.

5. Anything is possible with an external API, but securing communication would be a challenge.

If there's a website that your extension can talk to that can send an email on your behalf, you can make your extension trigger such an API.

However, it's not realistically possible to bury an extension-specific secret into an extension to limit the use of the API.

You could make the user log in to such a service with some credentials, and then store those user-specific credentials in an installed instance, eg an OAuth token. That basically offloads the problem to a web service you must control (or have an agreement with).

For extra reading, here's Apps vs Extensions guide.

Answer 2

I found a simple way to send an email from my Chrome extension (though see a big caveat below):

• On ifttt.com, create an applet with the "Webhooks" service.
• Choose "Receive a web request" as the trigger, and pick an event name ( $EVENT_NAME below).
• Choose the "Gmail" service for the "Then", and use "Send an email" for the action.
• Use {{VALUE1}} as the "To address".
• Use {{VALUE2}} and {{VALUE3}} (values you'll pass from your Chrome extension) anywhere in the Subject and Body.
• Go to ifttt.com/maker_webhooks and click "Documentation" to get your key ( $KEY below).
• Have your Chrome extension make a request to https://maker.ifttt.com/trigger/$EVENT_NAME/with/key/$KEY?value1=$TARGET_EMAIL_ADDRESS&value2=$SOME_OTHER_VALUE&value3=$SOME_OTHER_VALUE (make sure you call encodeURIComponent on each of the values).

There's a pretty serious issue with this, though: anyone can discover that URL (by peeking into your Chrome extension code) and use it to send emails using your template. (In my case, I've only published my extension to a trusted group.) Perhaps you could obfuscate the URL enough in the code that it wouldn't be easy to spot, but I don't know of a way to actually make it secure.