Chrome New Tab Page extension steal focus from the address bar

ManifestV3 update

This answer is adapted from
This has been tested with both Manifest V2 and V3.
Tested in Google Chrome 99.0.4844.51 64-bit (Windows 10).

  1. Replace the content of focus.js with:
  if ( !== "?x") { = "?x";
    throw new Error;  // load everything on the next page;
    // stop execution on this page
  1. Add the autofocus attribute to the <input>.
  2. Go to the Extensions page in Chrome and click the Load unpacked button. Choose the folder of your extension.
  3. Open your new tab page. You might see a modal dialogue reading Change back to Google?. Click Keep it to keep your custom new tab page.
Inline Javascript – Manifest V2 only

If you’re inlining the Javascript in the HTML file, then you’ll need to take some extra steps:

  1. After adding your inline Javascript to your HTML file, open DevTools (F12 key) and observe the error output in the Console. Example output you should see:
Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' blob: filesystem:". 
Either the 'unsafe-inline' keyword, a hash ('sha256-MK0Gypb4mkZTI11eCOtWT+mGYcJNpN5zccvhfeaRb6E='), or a nonce ('nonce-...') is required to enable inline execution.
  1. Select & copy this hash.
  2. Add a line to manifest.json to allow the JS to run, pasting in the hash you just copied between the single-quotes. E.g.:
"content_security_policy": "script-src 'self' 'sha256-MK0Gypb4mkZTI11eCOtWT+mGYcJNpN5zccvhfeaRb6E='"
  1. Go to the Extensions page again. Remove the extension, then re-add it using the Load unpacked button.
  2. Open your new tab page. Your extension should now autofocus on the <input>.

Note inlining only works with Manifest V2; Manifest V3 returns a failure message when attempting to load the extension (even with a properly formed "content_security_policy" object in manifest.json, to replace the Manifest V2 "content_security_policy" string):

Failed to load extension
File C:\path\to\extension
Error 'content_security_policy.extension_pages': Insecure CSP value "'sha256-...'" in directive 'script-src'.
Could not load manifest.

Leave a Comment