I have a manifest v3 browser extension that has a content script, which I want to be automatically injected into certain pages, without the user explicitly interacting with the extension each time they open it. Normally this would require host permissions, which I want to avoid. Is it possible to have an extension that initially starts with no host permissions, then when the user interacts with the extension and accepts the permissions, it permanently gains host permissions to that page? If so, how can I do this?
I am aware of optional_host_permissions in the manifest, so I realise that an extension can request host permissions, but my understanding is that these increased permissions are only temporary. If this is true, then optional_host_permissions won't suit my need. Also, the requesting can only be done after the user interacts with the extension, but I don't want the user to have to manually click the action button each time they want to enable my extension, it should start automatically.
Related
When I enter user id and password in netsuite every time it asks me my security questions , how can I stop this happening every time. Other people in my team are not having similar issue so I wonder what needs to be changed in my settings
*Note: I am not having administrator role
NetSuite saves a cookie in your browser in order to recognize your machine and browser the next time you log on. If it does not find this cookie it will ask a security question. There are several conditions under which this can occur:
You log on using a different machine.
You use the same machine, but a different browser.
You use 'private browsing' or 'incognito' mode.
You use a browser extension or other program which automatically deletes your browser cache, or cookies, when you exit.
You have your browser itself set to empty cache on exit. E.G.: Chrome has a setting to "Keep local data only until you quit your browser"
Anything else that might interfere with cookies.
You'll need to check which of these apply to you and act accordingly. If you're still unsure what could be causing it, you could reset your browser to defaults, or install a completely new browser and test whether it still happens with that. You may need to disable or uninstall any browser extensions too.
I'm working on an extension that's basically sending out an XHR request and parsing/displaying incoming XML. Ideally I'd like to let users enter the URL they want to send the request to, but to do this I believe I need to change the URL specified in the manifest.json every time the user enters a new URL. Are there any security concerns I should be aware of if implemented? If not I figure just setting the permission to *://*/* might be easier.
If you are letting the user select a URL, you have 2 approaches.
Just allow "<all_urls>" in the manifest (slightly stronger than "*://*/*"). Unless you're doing something specifically bad (like eval or exposing your internals using web_accessible_resources), the only security risk is yourself.
A fancy approach would be to use optional permissions. You put "<all_urls>" in optional permissions then request permissions for new hosts at runtime.
Pros: No scary dialog on install; give the power users comfort in knowing they provided only granular access.
Cons: A permission dialog will appear every time you need new permissions.
I'm currently creating a simple script that is essentially just a form that people can fill out an upload a couple of files.
When I click Deploy as a Web App, one of the form items asks "Execute the app as". One of the options is: Me (example#gmail.com)
Is this safe?
Does that mean anyone who has a link to the script essentially becomes logged in to my account?
Are there security risks to this?
One of the most important issues is, who has access to the Apps Script file. The file sharing settings are set totally differently than the web app deployment settings. You can have the Apps Script file SHARED settings, set to not being shared with anyone, and still have anyone be able to access the web app. So, access to the web app, and access to the file are two different things. That's a key point to understand.
The Execute the app as me, is not inherently unsecure. It doesn't log someone into your account. IF you somehow configured your app to give broad access to your account, which you can do, that's obviously a potential security hole. You should set scopes manually in the appsscript.json manifest file that are more restricted. For example, restricted scopes to your Gmail and Drive if the Web App sends an email, or accesses your Google Drive. You can restrict the email scope to only be able to send an email, and restrict the Drive scope to only be able to access files and folders that the script created, or that the user picked with the Google file picker. You can restrict access to only the current spreadsheet, instead of all your spreadsheets.
Are there potential security holes? Yes. But there aren't any security holes that you wouldn't have with any web app. So, it's really dependent upon the practices you use.
Don't use/store settings/parameters in client side HTML, that directly cause a server function to perform an action that you don't want anyone to be able to execute.
How secure your app is depends on some simple practices.
Don't store settings or information in HTML that could cause a security hole. Passwords is the obvious example. Don't put names of files in HTML code. Don't pass settings or parameters in Client side calls to the server that are obviously a direct link to a server function that has broad access to your account.
You can put an underbar at the end of server side function names so that a user can't know the names of your server function.
https://developers.google.com/apps-script/guides/html/communication#private_functions
Have a main server function that then calls a private function, that in turn branches to other functions. So the user will never know the name of the function that is ultimately doing all the real work.
If someone else has access to modify your Script, then yes, he can re-publish the app that will have access to whatever you previously authorized, but won't have new authorizations. Eg, if you used only SpreadsheetApp as your first code and authorized it, someone who has access to modify this script you already published can open all your Spreadsheets and erase them, but wont be able to touch the Docs.
Someone with the published app URL will have none of this, it will only run the scripts you/shared scripters published.
I use "Me"/"Anyone Even Anonymous" quite frequently, published dozens of apps and never had any issue.
I have a chrome extension that currently communicates with a website over http, what would be the difficulties/problems that could occur if I switch my website to be https.
Communication is done using this method (chrome.runtime.sendMessage)
https://developer.chrome.com/extensions/messaging#external-webpage
And I also pull some Iframe pages from the website
As far as chrome.runtime messaging goes, Chrome does not care, as long as you have permissions.
And that might be your problem if you specified your match patterns as "http://example.com/*" instead of "*://example.com/*". Adding a permission for HTTPS if it wasn't there before may trigger a new permission warning, which is.. unpleasant.
Triggering a new permission warning for an already-deployed extension means that the extension is automatically disabled after the update.
The user is then presented with a popup explaining that the extension was disabled due to requesting more permissions that it had, and requesting the user to review them (or leave the extension disabled). You run the risk of users deciding not to bother, or misunderstand this warning and think it's malware / complain.
Fortunately, "externally_connectable" match patterns do not trigger warnings - because such connections always have to be initiated by the page. If, however, you are also using a permission to do XHR, or a match pattern to inject a content script - the above applies.
You could potentially employ optional permissions to avoid this scenario, but that's a complicated way.
I'm bundling a Chrome extension along with a software.
During the installation I'm creating a User ID and writing it in the registry.
I want my extension to "know" this value too, Can I do it without NPAPI plugin?
If you have a web-site for your product, you can do the following. During installation submit new UserID to your site (in addition to writing it into the Registry), then open in Chrome a specific page on your site, which should contain the same UserID in parameters. Your extansion can read outgoing requests, so it can parse out the UserID. Next it should check response from your server, which must compare UserID value obtained from the browser and the one obtained earlier from your installation. This will prevent UserID spoofing.
Also, though I'm not sure you'll not consider next suggestion as an overkill (so NPAPI plugin looks like acceptable solution as well), but here is how I made a binding between a Chrome extension and external program (for some much more sophisticated purposes than just reading the Registry).
You can build a minimal local web-server (or websockets server) processing requests on a dedicated port, provide it with registration information (UserID, etc), and then request required data from the extension just by means of ordinary http-request (for example, AJAX, or websockets client).
The methods have a drawback related to the need to setup user's firewall, so it would allow traffic either from your installer, or from local web-server.