I am trying to find the best way to incorporate a login form inside my extension's popup page just like Passbolt password manager.
I have endlessly searched for solutions and examples only to find some that do not go into much detail (like OAuth). Furthermore, I am trying to completely avoid having to prompt a popup login page to do the job.
Is there any way to securely send over the credentials to my API's controller directly from the extension?
Any examples or resources would be very helpful.
Related
Apart from all the other typical security best practices I'm wondering about this, since I lately read some articles talking about how browser extensions can spy anything their user does. So that we shouldn't trust them.
Therefore in order to give users and additional layer of protection should I process all users credential and sensitive info inside an iframe inside my webpages?
Can content inside a sandboxed iframe be read/spied by browser
extensions?
Yes
Could I use iframe to secure user credentials?
Quick answer, no.
When a user installs a chrome extension the extension can do basically anything in the website to access the user credentials. The extension has also access to the iframes that the page generates.
My proposed solutions to overcome this two issues and keep the website feel "secure" are the following:
If the end goal is to secure the content that your user will put in the website, and by no mean you want to let the user put content if there are other kind of extensions running in the page, what you can put is some kind of pop up in the page blocking the access to the user until he is accessing the website without extensions.
Another solution you could propose to the user is to go incognito mode, as there are many options to disallow extensions in incognito without having to force him to uninstall all of the extensions that he has on his browser. This could also make less users leave your page, as if you force him to uninstall of the extensions on his browser it might make him leave your page if it's not a clear enough reason for him.
If you do know which are the extensions that shouldn't be blocked or prevented because they are harmful or known to have some kind of shady behaviour, what you can do is checkout if the user has them installed with this solution Checking if user has a certain extension installed and then print a message to him saying he can't continue until he uninstalls those extensions.
first post here so I hope I'm not breaking any rules.
So, the situation I'm faced with is a bit complicated. I'm basically trying to login into a hangouts call without having the ability to use the browser itself. I can only insert the URL. Why is that you may ask?
I'm trying to show a hangouts call on my twitch stream using a OBS plugin called CLR browser. This plugin only allows to rezise the window and add a URL from where it'll take information from. It's great for notifications but not so great for what I'm trying to do. But after investigating alot I came to the conclusion that I'm out of options.
I do know you can login to gmail by only using the url like here:
How do I login into Google Apps via a URL?
If, for example I have a hangouts link like this:
https://plus.google.com/hangouts/_/gruxore63cq34fwddtcwwe64raa
Can I add something at the end so it logs in automatically?
Thank you.
Hate to disappoint, but you cannot auto-login using a link. OBS does allow you to screen share a window, though, so you should be able to open your favorite web browser, enter the Hangout, then share the window.
Failing that, XSplit has very flexible screen/region-sharing abilities.
Here's a YouTube video demonstrating exactly how to do this in OBS, and the link is time-coded right to the good-stuff.
I am writing a chrome extension, and I want to find out if the built-in password manager has saved the password of a specific website.
I don't want to know the password, just to find out if there is one for this website.
do you have any ideas how can I do this?
There is no API to interact with the password manager.
There may be very hacky ways of inspecting the loaded login form, but I don't think you're looking for those.
I should note, I'm not a chrome extension expert. However, I'm looking for some advice or high-level solution to a security concern I have with my chrome extension. I've searched quite a bit but can't seem to find a concrete answer.
The situation
I have a chrome extension that needs to have the user login to our backend server.
However, it was decided for design reasons that the default chrome popup balloon was undesirable. Thus I've used a modal dialog and jquery to make a styled popup that is injected with content scripts.
Hence, the popup is injected into the DOM o the page you are visiting.
The Problem
Everything works, however now that I need to implement login functionality I've noticed a vulnerability:
If the site we've injected our popup into knows the password fields ID they could run a script to continuously monitor the password and username field and store that data. Call me paranoid, but I see it as a risk. In fact, I wrote a mockup attack site that can correctly pull the user and password when entered into the given fields.
My devised solution
I took a look at some other chrome extensions, like Buffer, and noticed what they do is load their popup from their website and, instead, embed an iFrame which contains the popup in it. The popup would interact with the server inside the iframe.
My understanding is iframes are subject to same-origin scripting policies as other websites, but I may be mistaken.
As such, would do the same thing be secure?
TLDR
To simplify, if I embedded a https login form from our server into a given DOM, via a chrome extension, are there security concerns to password sniffing?
If this is not the best way to deal with chrome extension logins, do you have suggestions on what is? Perhaps there is a way to declare text fields that javascript can simply not interact with? Not too sure!
Thank you so much for your time! I will happily clarify anything required.
The Same origin policy does indeed protect the contents of the iframe from the main page.
However. There's no way for the user to know whether the iframe in the page belongs to your extension or not. A rogue page could copy your design and impersonate your extension, and ultimately steal the credentials.
The only secure way to get the user to input credentials is through a separate window, popup or tab.
Chrome offers an API to open a window with desired properties, which should be sufficiently flexible to meet your design requirements. See this example, which is also about getting a credentials in a popup window: https://stackoverflow.com/a/10341102/938089
We have a requirement for people to be able to look at documents people have uploaded to us (mainly word, possibly some rtf) via our web app. We want the user to be able to open the docs inside the browser, but keep the original formatting and not have the need for another application (like word, acrobat etc).
We thought about using google docs to do this, there appears to be some batch uploading options to get stuff in there but does anyone know if we can use the API's to keep the user on our site without them having to login to google docs themselves, and keep them still on our website with re-directing to google docs to view them.
Cheers
There's an option to make documents public (Somewhere in Share->Advanced Options).
Using api you can get list of documents in your google docs account, you can even search em. In your app you could make a link to the document in google docs which opens in a new window. That way your user will never navigate away from your page. An alternative would be to use an IFrame, but it's considered bad practice.
A completely different approach could be to automatically generate and host a pdf each time someone uploads a file. There are scripts/programs which can do that, just call them after you receive a file.