Where was Chrome Extension installed from? - google-chrome-extension

Have an extension that has a good number of installs 10k+ and I'd like to open up a walkthrough page after it's installed from the Chrome Webstore only.
The problem is I never requested the tabs permission when I initially deployed it, so requesting that permission now (in order to lookup the focused tab's url and determine if the install happened from the Chrome Webstore host) causes problems because then all existing installs will have the extension disabled when the auto-update rolls out (due to the new permission request).
Are there any other ways of determining if the install is coming from the Chrome Webstore? I'm not trying to bypass any legit privacy/permission issues. Rather, looking for a technique that allows me to open a window only when it's needed.
Appreciate any thoughts.

Related

How do I get access to all the files in the extension in Chrome Extension Manifest Version 3 (MV3)?

Background
I've been using the crx-hotreload package to auto-reload my chrome extensions during development because it's annoying to have to click the refresh button on the Extensions page every time you make a change; however, this package doesn't work with MV3 because it uses the chrome.runtime.getPackageDirectoryEntry method, which seems to have been removed from chrome.runtime in MV3. I can't find documentation to confirm that it was removed, but it's not there when I try to use it.
Questions
Does anyone know how to get access to all the files in the extension directory in Chrome Extension Manifest Version 3?
Or generally, is there a better way that I can hot-reload my chrome extensions during development that would work for MV3?
This is one of many things based on DOM capabilities of background pages that are removed from ManifestV3 because service workers don't have DOM. For example, getPackageDirectoryEntry is using the old nonstandard FileSystem API in its returned value.
As to why, apparently the switch to service workers simplifies the internal source code in Chromium, even if it doesn't provide any real improvements for extension authors or users.
At this point all you can do is present a convincing use case and ask Chromium developers via https://crbug.com to implement an alternative API.

Install chrome extension using registry

I have an extension that is hosted in Chrome wwebstore, I want to make an installer that installs it automatically through registry, however, I seems that this method does not work anymore, and if it works it wont be activated. Is there any other possible solution after the last chrome updates.
No matter which method you use for an installer, the extension will be initially disabled and user will be presented with a question whether he wants to enable your extension.
That said, this is still the correct method. Add a key to the registry, on next launch Chrome will download the extension and present a dialog to the user.
The only way to install an extension "no questions asked" (on Windows) is through domain policies.

No-Content-Script for chrome extension

I may be a bit of paranoid when it comes to installing chrome extension that request access to all my tabs and data. While a extension may be safe for the moment, a simple auto background update can make it a malicious virus and you won't even get notified about updates.
I would like to specifically whitelist all my extension to access the content pear webpages bases. Is there any such tool out there already (natively perhaps) before i start hacking my own extension to control it on my own.
That would leave me to my next question. Extension can be a bit secured running sandboxed environment and have no access to the "real" filesystem (not the virtual sandboxed filesystem) but could i write a NaCl plugin and have have full access and change the manifest file to change the content_scripts settings? if so, could you point me in the right direction?
I'm not sure to understand clearly your question, but let's calrify some things about extensions and how they can be dangerous:
First: If an extension updates and want to have new authorisations, Chrome will warn you and you can choose if you want it to be updated
Second: Chrome sandboxes extensions running on your computer
Third: The only authorisation that may represent a real danger for your computer are the ones requesting authorisation to "Access all data on your computer"
.
.
.
If you are really worried that some extensions may represent a danger for you (and I understand you), you can restrict them to run on specific webpages by doing the following:
1. Go to the extensions folders [C:\Users(YOUR USERNAME)\AppData\Local\Google\Chrome\User Data\Default\Extensions(APPID)] and open the manifest.json file with any text editor
2. In "content_scripts" declaration, in "matches", specify sites where the extension will ONLY work on [ex:*://google.com/* will make extension be active ONLY for google.com]
You can even be more precise and set specific URLs/HTML pages (see more: https://developer.chrome.com/extensions/match_patterns)
Hope it helps!
If it doesn't, please clarify your question again.

Is it possible to create a Chrome Extension for private distribution outside Chrome Web Store?

We have a Chrome Extension application that we have developed and would like to distribute it only a limited number of internal users.
This would be a private app, but to install it, users now have to follow the manual steps of going to Settings -> Extensions -> clicking on Developer mode -> drop the .crx in there.
I would like to know if there is a way to just have private App Store to privately distribute this app and not have it on Chrome Web Store for anyone to see/download/use.
Thanks for your help in advance ---
You use the Chrome Web Store. 2 options are available:
Share an unlisted Chrome extension from the Chrome Web Store (anyone with the link will be able to install it)
Chrome customers using G Suite or Education can use the Chrome Web Store to host private apps restricted only to their users on the same domain.
See https://support.google.com/chrome/a/answer/2663860
Update 2016-05-20: From https://support.google.com/chrome/a/answer/2663860?hl=en
Chrome customers using Google Apps for Work or Education can use the Chrome Web Store to host private apps restricted only to their users or people who you share a direct link to the app with. Users from the same Chrome domain will see their organization's private apps in a private collection in the Chrome Web Store.
Update 2015-10-27: Google has updated installation policies in attempt to curb malicious extension activity on Windows. On the chrome extension hosting page:
Warning: As of Chrome 33, Windows users can only download extensions
hosted in the Chrome Web store, except for installs via enterprise
policy or developer mode (see Protecting Windows users from malicious
extensions). As of Chrome 44, no external installs are allowed from a
path to a local .crx on Mac (see Continuing to protect Chrome users
from malicious extensions).
With the latest versions of Google Chrome, users are no longer going to be able to just click a download link and have it install with the correct HTTP headers. This leaves you with 4 possible options:
user downloads extension and then drags the file into the extension management page (This no longer works on Windows per update note)
change registry settings on users computers
user downloads extension source folder and loads extension from source in the extension management page
Re-enable extension installs with command-line flag as suggested by Rob W
I have created and distributed several different Google Chrome extensions privately within my company and went with the first option. It is an extra step for the users but it wasn't a big deal. The users did not have to have developer mode enabled in their Chrome browser for this to work.
Yes, you can. You need to create the crx file through the google chrome "Extensions" page (visit: chrome://extensions/ NOTE: You cannot click the link you have to manually copy and paste it, chrome does not allow you to visit the link from href)
On the Extensions page, check the box "developer mode", choose "pack extension".
Now you get the following popup. Click "browse" for the Extension root directory and navigate to the folder containing your extension (the folder containing manifest.json).
The first time you do this, ignore private key file. It will generate one for you automatically and save it to the same folder.
When you release a new version of the extension, use the generated private key file. This way for someone to update the extension, it won't ask for permissions again.
TO INSTALL
To install the extension, just get each user to manually drag the newly created extension crx into the Extensions page (chrome://extensions/).
The first time it will ask for permissions just like when installing from the Chrome Web Store.
For each new version, as long as you used the same private key file for each new version, users just drag the new version into the Extensions page the same way except they won't be asked for permissions again. It will just update the extension.
WARNINGS:
Beware the way you distribute the extension crx file. When user downloads the extension .crx file in Google Chrome, it will think you're trying to install the extension from that page, and come up a warning "couldn't be installed from this site". You need to make sure that users know to ignore the error, and check their downloads folder for the extension to manually install it.
Whenever you download the .crx file, Chrome will give the user a warning saying it might contain a virus. There is no way around this. Even if you zip up the file, Chrome will read the contents and give the same warning. Some users won't install because of this. A workaround is to rename the .crx to something else, like .RENAME_TO_CRX, but this is a hassle and a lot of users either won't want to or won't be able to figure it out.
You can't update the extension automatically. It's just not possible because Chrome manually blocked this capability.
NOTE: Another way would be to release it on the Chrome Store, but only for certain users (not public). Only people with the link could install, OR you could make it only certain people can install and even if you had the link but weren't part of the group, they couldn't view the extension. Only problem here is if you don't want Google to see the extension.
If you use Google Apps, it appears there's now a way to publish apps and extensions to the Chrome Web Store, but only make it visible to users of that domain.
https://support.google.com/chrome/a/answer/2663860?hl=en
Since its internal, could you change registry settings on their computers?
Because if so, you can use them to allow easy install of extensions from outside the web store or force install extensions on their machine.
Look here....
http://www.chromium.org/administrators/policy-templates
http://www.chromium.org/administrators/policy-list-3#ExtensionInstallSources
http://www.chromium.org/administrators/policy-list-3#ExtensionInstallForcelist

Is there a way to prevent the warning message from displaying on a Chrome extension installation

When you install an extension to the Google Chrome browser from Chrome's website, the installation procedure pops up instantly, without warning. (Chrome's website)
When you install an extension from any other website, there is a warning message: "Extensions, apps, and themes can harm your computer. Are you sure you want to continue?"
My extension is trusted and displayed on Chrome's website, but is there a way to remove this scary warning from my website's download page ?
Thanks
I figured out myself there is no way to do this because chrome just checks if the extension install is launched from its own website.
For people wondering what I eventually did (if there will ever be) :
As soon as the user clicks on the install button, I hide the document with an 80% opaque layer and show a box pointing where to click to continue the installation.

Resources