I am making my first ever chrome extension and I had some questions. My chrome extension is super simple only containing some buttons that go to links. I want to know if I need any permissions for this sort of thing. I am not collecting data or anything like that, I am only giving the user buttons that they can click to go to different URLs.
Picture of my extension
"permissions": ["ANYTHING", "ANYTHING"],
Do I need anything in here?
If not, can I just delete this whole line?
Mostly you will not need this line because you did not access any unauthorized user permissions such as access to the camera, file manager, search history, change the browser's background itself, privacy and follow everything ....
But you are only dealing with a simple HTML page DOM
If you want to know every time do you need permissions or not
Just write your code without asking for permissions, and if it works successfully, you do not need access permission, but if the code does not work, then know that you need permission and review the code that's all
You can also find out what powers you can access in your Google Chrome extension
Declare permissions
Related
I have developed a simple chrome extension which generates QR codes through a form which triggers an API. Through JavaScript the qr code is displayed to the user, and through a button is possibile to download the qr code image.
Since this is a simple extension which is not going to "listen" to or interacting with any users' activities, and since it's not going to change the content of the pages the user visits, what kind of browser_action and permissions I have to set into the manifest.json file?
I'm a bit confused by permissions, activeTab, <all_urls>.
I've read some documentation, but I didn't find any match to what my extension will perform: it feels like I don't have to set any permissions, is that possible? Please help!
Thank you in advance for your answers!
I just wrote a chrome extension which adds a tab to devtools that generates CSS selectors from sample elements on any page. I have set the "<all_urls>" permissions since I'll inject JS using content scripts in whatever page the user wants to select sample elements. I just paid $5 to Google and as I was in the process of publishing the extension to the chrome extensions store, Google warned me it may take several weeks for my extension to be approved because permissions are too broad.
According to Google, I may not need to declare any host permission if I declare the activeTab permission. Not sure if that applies to my case, but most importantly, I have no idea whether I may actually need additional permissions since no warnings will be shown when my extension is unpacked (I understand that to mean no warnings will be shown and the extension will be allowed to run any code regardless of any missing permissions), which is how I'm testing it.
Google then suggests packing the installed extension in order to see the warnings, but then I won't see any warning because the extension won't run. So I don't seem to have any way to know whether I actually need the "<all_urls>" permission or whether I need any additional permission other than testing my luck by publishing it and waiting several weeks to see what happens, and repeat this process until I come up with the minimum required permissions, so I wonder if anyone knows a better alternative.
Permission warnings are shown by the browser before an extension is installed. They list the API and host permissions. These warnings don't influence the functionality of the extension.
To view these warnings you can run the following in devtools console opened on any of your extension pages (i.e. not in content scripts):
fetch('/manifest.json').then(_ => _.text()).then(_ => chrome.management.getPermissionWarningsByManifest(_, console.log))
To view the permissions of any installed extension, unpacked or from the store, open chrome://extensions page and click the details button on that extension's card.
The circled part is for API permissions. Site access below lists the host permissions, which are displayed in simplified form when an extension is installed in the web store e.g. <all_urls> would be "Read and change all your data on the websites you visit".
The exact text of each permission warning is also listed in the documentation.
Your extension uses <all_urls> which means broad access and the slow manual review queue. As suggested, you can try to use activeTab permission instead of <all_urls>. In case it won't work, open a new report on https://crbug.com because the old one was abandoned. Also, try using chrome.devtools.inspectedWindow API that provides eval method that is similar to chrome.tabs.executeScript and might work with activeTab. Note, it's not related to JavaScript eval.
Apart from all the other typical security best practices I'm wondering about this, since I lately read some articles talking about how browser extensions can spy anything their user does. So that we shouldn't trust them.
Therefore in order to give users and additional layer of protection should I process all users credential and sensitive info inside an iframe inside my webpages?
Can content inside a sandboxed iframe be read/spied by browser
extensions?
Yes
Could I use iframe to secure user credentials?
Quick answer, no.
When a user installs a chrome extension the extension can do basically anything in the website to access the user credentials. The extension has also access to the iframes that the page generates.
My proposed solutions to overcome this two issues and keep the website feel "secure" are the following:
If the end goal is to secure the content that your user will put in the website, and by no mean you want to let the user put content if there are other kind of extensions running in the page, what you can put is some kind of pop up in the page blocking the access to the user until he is accessing the website without extensions.
Another solution you could propose to the user is to go incognito mode, as there are many options to disallow extensions in incognito without having to force him to uninstall all of the extensions that he has on his browser. This could also make less users leave your page, as if you force him to uninstall of the extensions on his browser it might make him leave your page if it's not a clear enough reason for him.
If you do know which are the extensions that shouldn't be blocked or prevented because they are harmful or known to have some kind of shady behaviour, what you can do is checkout if the user has them installed with this solution Checking if user has a certain extension installed and then print a message to him saying he can't continue until he uninstalls those extensions.
I'm trying to make a google chrome extension that I want to work on all sites, but I can't figure out how to configure the permissions to do this.
Well, there's a helpful page in the docs called "Match Patterns".
You need "<all_urls>" (literally as written) to request access to every site. It is actually required for some APIs like tab capture.
I should note, I'm not a chrome extension expert. However, I'm looking for some advice or high-level solution to a security concern I have with my chrome extension. I've searched quite a bit but can't seem to find a concrete answer.
The situation
I have a chrome extension that needs to have the user login to our backend server.
However, it was decided for design reasons that the default chrome popup balloon was undesirable. Thus I've used a modal dialog and jquery to make a styled popup that is injected with content scripts.
Hence, the popup is injected into the DOM o the page you are visiting.
The Problem
Everything works, however now that I need to implement login functionality I've noticed a vulnerability:
If the site we've injected our popup into knows the password fields ID they could run a script to continuously monitor the password and username field and store that data. Call me paranoid, but I see it as a risk. In fact, I wrote a mockup attack site that can correctly pull the user and password when entered into the given fields.
My devised solution
I took a look at some other chrome extensions, like Buffer, and noticed what they do is load their popup from their website and, instead, embed an iFrame which contains the popup in it. The popup would interact with the server inside the iframe.
My understanding is iframes are subject to same-origin scripting policies as other websites, but I may be mistaken.
As such, would do the same thing be secure?
TLDR
To simplify, if I embedded a https login form from our server into a given DOM, via a chrome extension, are there security concerns to password sniffing?
If this is not the best way to deal with chrome extension logins, do you have suggestions on what is? Perhaps there is a way to declare text fields that javascript can simply not interact with? Not too sure!
Thank you so much for your time! I will happily clarify anything required.
The Same origin policy does indeed protect the contents of the iframe from the main page.
However. There's no way for the user to know whether the iframe in the page belongs to your extension or not. A rogue page could copy your design and impersonate your extension, and ultimately steal the credentials.
The only secure way to get the user to input credentials is through a separate window, popup or tab.
Chrome offers an API to open a window with desired properties, which should be sufficiently flexible to meet your design requirements. See this example, which is also about getting a credentials in a popup window: https://stackoverflow.com/a/10341102/938089