As an end user, I would like to restrict the extensions to run only on certain domains. Like an extension that needs to enhance gmail, to only trigger on mail.google.com.
I am reposting this question from Limit Chrome Extension to certain URLs?
The OP wanted it for extension developer. But as an end user, I wanted this for protecting myself from rouge extension or just to make the page load faster without triggering all the extensions.
I found that the original post had the answer for this at https://stackoverflow.com/a/53315464/1500545
since the OP's need was for developers, I was not highly upvoted. Will post the answer here and accept it.
credit: https://stackoverflow.com/users/167897/wernight
As a user, with Chrome 71 (or maybe even before) with chrome://flags/#extension-active-script-permission (you may need to enable User consent for extension scripts flag) allows you to right click extension icons and select "This can read and change site data" then you can choose:
When you click the extension
On current-domain-name.com
On all sites (default)
Related
I just wrote a chrome extension which adds a tab to devtools that generates CSS selectors from sample elements on any page. I have set the "<all_urls>" permissions since I'll inject JS using content scripts in whatever page the user wants to select sample elements. I just paid $5 to Google and as I was in the process of publishing the extension to the chrome extensions store, Google warned me it may take several weeks for my extension to be approved because permissions are too broad.
According to Google, I may not need to declare any host permission if I declare the activeTab permission. Not sure if that applies to my case, but most importantly, I have no idea whether I may actually need additional permissions since no warnings will be shown when my extension is unpacked (I understand that to mean no warnings will be shown and the extension will be allowed to run any code regardless of any missing permissions), which is how I'm testing it.
Google then suggests packing the installed extension in order to see the warnings, but then I won't see any warning because the extension won't run. So I don't seem to have any way to know whether I actually need the "<all_urls>" permission or whether I need any additional permission other than testing my luck by publishing it and waiting several weeks to see what happens, and repeat this process until I come up with the minimum required permissions, so I wonder if anyone knows a better alternative.
Permission warnings are shown by the browser before an extension is installed. They list the API and host permissions. These warnings don't influence the functionality of the extension.
To view these warnings you can run the following in devtools console opened on any of your extension pages (i.e. not in content scripts):
fetch('/manifest.json').then(_ => _.text()).then(_ => chrome.management.getPermissionWarningsByManifest(_, console.log))
To view the permissions of any installed extension, unpacked or from the store, open chrome://extensions page and click the details button on that extension's card.
The circled part is for API permissions. Site access below lists the host permissions, which are displayed in simplified form when an extension is installed in the web store e.g. <all_urls> would be "Read and change all your data on the websites you visit".
The exact text of each permission warning is also listed in the documentation.
Your extension uses <all_urls> which means broad access and the slow manual review queue. As suggested, you can try to use activeTab permission instead of <all_urls>. In case it won't work, open a new report on https://crbug.com because the old one was abandoned. Also, try using chrome.devtools.inspectedWindow API that provides eval method that is similar to chrome.tabs.executeScript and might work with activeTab. Note, it's not related to JavaScript eval.
Apart from all the other typical security best practices I'm wondering about this, since I lately read some articles talking about how browser extensions can spy anything their user does. So that we shouldn't trust them.
Therefore in order to give users and additional layer of protection should I process all users credential and sensitive info inside an iframe inside my webpages?
Can content inside a sandboxed iframe be read/spied by browser
extensions?
Yes
Could I use iframe to secure user credentials?
Quick answer, no.
When a user installs a chrome extension the extension can do basically anything in the website to access the user credentials. The extension has also access to the iframes that the page generates.
My proposed solutions to overcome this two issues and keep the website feel "secure" are the following:
If the end goal is to secure the content that your user will put in the website, and by no mean you want to let the user put content if there are other kind of extensions running in the page, what you can put is some kind of pop up in the page blocking the access to the user until he is accessing the website without extensions.
Another solution you could propose to the user is to go incognito mode, as there are many options to disallow extensions in incognito without having to force him to uninstall all of the extensions that he has on his browser. This could also make less users leave your page, as if you force him to uninstall of the extensions on his browser it might make him leave your page if it's not a clear enough reason for him.
If you do know which are the extensions that shouldn't be blocked or prevented because they are harmful or known to have some kind of shady behaviour, what you can do is checkout if the user has them installed with this solution Checking if user has a certain extension installed and then print a message to him saying he can't continue until he uninstalls those extensions.
When submitting updates for our extension, we receive the following message with rejection from the Chrome store:
"To have your item reinstated, please ensure:
The purpose of the extension is clear to users; and
The extension either limits its functionality to a narrow focus area of subject matter or to a narrow browser function.
To serve multiple purposes with your extensions, please package each purpose as a separate extension."
Does anyone know the criteria used when determining if the purpose is clear or if the extension is trying to do too much? Our extension is used to demonstrate metrics more conveniently that our clients would normally go to our webpage to see, so it shows a few different but very related items (all of which fit the central theme of showing connected metrics).
Check the Chrome Extension Quality Guideline:
Extensions Quality Guidelines
An extension must have a single purpose that is narrow and
easy-to-understand. Do not create an extension that requires users to
accept bundles of unrelated functionality, such as an email notifier
and a news headline aggregator, or downloads a local executable. If
two pieces of functionality are clearly separate, they should be put
into two different extensions, and users should have the ability to
install and uninstall them separately. For example, functionality that
displays product ratings and reviews, but also injects ads into web
pages, should not be bundled into a single extension. Similarly,
toolbars that provide a broad array of functionality or entry points
into services are better delivered as separate extensions, so that
users can select the services they want.
This is further explained in the FAQS page answering these questions:
Why did Google launch a “single purpose” Chrome extensions policy?
Where can I find the “single purpose” policy?
What does “single purpose” actually mean?
I'm trying to add a support page right in the extension window but all that I can find is adding a link to another page. I've included some pictures, as I don't know how to really describe the feature.
that's what I have currently, and below is what I want to have-
This is a screenshot of what I have on the dev page, concerning the support feature-
I'm not sure what I need to change, so any help would be appreciated! (Directed here from this chrome forum thread)
Go to https://chrome.google.com/webstore/developer/dashboard
Click "Edit your User Feedback preferences"
Check the "Enable User Feedback for all my apps in Chrome Webstore." box.
Note that neither you nor your users will get notified of new posts made in the webstore support section, so you probably want to direct users to a third party support platform, such as issues on the project's Github repo.
Chrome extensions can interfere with how a site is rendered and/or its behavior. This introduces unnecessary states and potential sources of errors.
So: Is there a way to disable all Chrome extensions for visitors of a certain website?
I dont think such API exists (we are taking about webiste scripts, right?) However you could determine if specific extension installed and update your code accordingly. Check this topic how to do this.
Even better and actual topic if you are fighting with adblock plus ;)
The best way to handle so far is to disable Extension sync in that specific browser.
Steps to follow:
https://superuser.com/questions/528014/how-to-disable-chrome-extensions-without-disabling-them-across-multiple-synced-d
.