I am trying to automatically install a Microsoft Edge Extension in an enterprise managed environment: Google Chrome allow this behavior (check this post for further information), but it seems impossible to do the same for Edge (the Edge extension policy states that "The installation must be initiated and completed by the user, using only the user experience provided by Microsoft Edge and the Microsoft Store").
Edit 5/8/20
The new Microsoft Edge based on Chromium supports GPOs (cfr. https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#extensioninstallforcelist)
I've been able to forcefully install an extension in a managed environment using this guide.
Unfortunately, when the user open Edge for the first time after the extension has been configured a popup shows up, asking him if he wants to turn the extension on or not, and right now there is no way to forcefully enable the extension.
As you've said, I think it's not yet possible. You may check this thread which also stated that installation of extensions for Microsoft Edge must be initiated and completed by the user. However, there's a suggestion to try Add-AppxPackage which adds a signed app package (.appx) to a user account. Just make sure that package is signed because otherwise Add-AppxPackage would not work.
Related
I have an unlisted extension published through the Chrome web store which is already being used. I have a new version which I would like to release just to testers initially, before a full roll out to everyone. Can this be done?
The same thing has been asked here but it was almost 9 years ago, and the answers disagree on whether it's possible or not:
How to publish new version of Chrome Extension only to testers
The short answer is "No, it can't be done for a published extension".
According to Chrome Web Store visibility descriptions, you must unpublish an extension before it can be published to trusted testers. Users who already have it installed will get updated to the new version.
In your case, you have to create a new extension with the new code, and a different name like "MyApp Beta" and publish it privately to the list of trusted testers.
Maybe you already know this, but you can install a chrome extension manually.
Go to chrome://extensions/ and check the box for Developer mode in the top right.
Click "Load unpacked exention"
Select the folder where your unzipped extension resides in.
So, you can send a zip/rar to your testers, let them follow the procedure and test the extension. Might be that you have to give it another name so as to not conflict with your earlier eversion, or you could ask your testers to delete the existing extension to avoid conflicts.
Well, the simplest way is to pack a .crx file of the tester-only extension then link to it via some cloud-hosting service like Google Drive. There is no way to do this through the Web Store. You could release a different extension as a beta channel though.
Not strictly related to publishing a full extension, but ... you could use feature toggling to control the visibility of new functionality? So wrap the new functionality in toggle checks and only turn the feature on based on some criteria you can decide in a custom roll-out strategy. See enter link description here for an open-source implementation of a feature toggle control system.
If you have a developer account and want to publish it on the chrome web store privately to just testers this is what you have to do:
Go to the Pricing and Distribution page of the extension during the publishing process
Click "Private"
Go to your developer account settings, and in the "Management" section, you can add trusted tester accounts.
You can change the status to public whenever your extension is ready.
This is the context: Suppose there is a plug-in, P, available at the Mozilla Firefox add-on site.
Consider a malicious user that modifies P, for example, to make it deviate from the normal behavior. My first question is:
Could the Firefox browser detect that the plug-in is not the original one (i.e., the one that was downloaded from Firefox site? If this can be detected, could the Firefox browser disable the (modified) plug-in?
Now consider the case of a Web site that interacts with the plug-in P. For example, the site allows access to the web content only if the plug-in is original (it has not been modified).
My second question is:
Could the site be able to detect that this malicious user modified the plug-in?
Firefox detecting changes
All extensions which are downloaded from AMO are cryptographically signed by Mozilla (link 2). If the extension is modified in any way, Firefox will automatically detect that there have been changes and will disable the add-on.
However, if the user is running Firefox Developer Edition, Firefox Nightly, Unbranded Beta, or Unbranded Release, they can change a preference such that the modified extension will not be disabled. The modification will still be detected, and the user informed in about:addons (Ctrl-Shif-A, Cmd-Shif-A on OSX). It is also possible for the user to download the source code for Firefox and compile their own version which disables add-on signature checking.
Temporary add-ons
The normal release and beta versions of Firefox do not permit the user the option to permanently install and run extensions which have not been signed, or where the extension has been changed after signing. However, they do, along with all other versions, permit an extension to be loaded as a temporary add-on even if unsigned, or changed. This makes it impossible unsigned add-ons which require a browser restart in those versions of Firefox.
Summary
Mozilla singing add-ons is intended to prevent add-ons, which are malicious, or that just have not been reviewed by Mozilla, from being downloaded and installed by naive users. Thus, to install an unsigned, or changed, add-on, the user has to jump through extra, inconvenient steps (not use a branded release or beta Firefox, or use a temporary add-on install). However, signing does not, and was not intended to, prevent the user from intentionally changing an add-on and not being able to run it.
Website detecting that the extension has changed
No, assuming that the modifications to the extension are intentionally being hidden, there is no guaranteed way for the web page to detect that a change has occurred. The modified extension can spoof any information that is provided to the web page by the original extension code. You can make this hard to do, but it can not be guaranteed.
You have not mentioned why you are wanting your website to be able to detect these changes. Thus, without guessing as to the purpose, it is not possible to provide you with reasonable alternatives.
You're asking for DRM, i.e. the ability to verify that a remote piece of software running on general purpose computing hardware is executing the code which it itself claims to be executing.
This is not possible, since the claimant can always lie and run any code snippet used for interactive authentication in some form of emulator.
Depending on what you're actually trying to achieve you should use user-specific authentication, i.e. tie site access to some token or password instead of the addon, or treat all inputs by the addon as unstrusted and verify them against whatever protocol they should follow.
In short: Validate data, not code.
I have an extension that is hosted in Chrome wwebstore, I want to make an installer that installs it automatically through registry, however, I seems that this method does not work anymore, and if it works it wont be activated. Is there any other possible solution after the last chrome updates.
No matter which method you use for an installer, the extension will be initially disabled and user will be presented with a question whether he wants to enable your extension.
That said, this is still the correct method. Add a key to the registry, on next launch Chrome will download the extension and present a dialog to the user.
The only way to install an extension "no questions asked" (on Windows) is through domain policies.
My question is how do third party installer installs addons in the browser like toolbars and able to set homepage and other browser properties??
I want to make an addon which get installed in browser in same way..
is it possible??
In principle, installing extensions along with other software is possible. I'm describing the procedure for Windows.
The following conditions have to be met:
You must be able to write to the HKLM registry subtree (needs Admin rights)
The extension must be published on Chrome Web Store
The machine must be able to download the extension from Web Store
If those conditions are met, you can do it according to the procedure described here. Basically, the installer must create a registry key that will trigger Chrome to download the extension on next launch.
That said, Google has gone to great pains to prevent silent installs and avoid browser settings hijack. Such setting overrides are a weapons race and Chrome is tightening its defenses. Ask yourself whether it's ethical to install your extension this way.
It will probably annoy your users and will flag your extension for more meticulous checks by Google. Remember that Google can disable any extension hosted by the Web Store if it violates its policies.
Also, be mindful of the single purpose policy. A toolbar that also overrides search/homepage/settings will be frowned upon. At a minimum it should be separated into several extensions, at a maximum - don't do it.
An extension can override, say, a homepage, but it's very restrictive. The extension must be in the Web Store as above, and any override pages must be verified for ownership for the Web Store developer account. All in the name of security and comfort of the users.
I have a chrome extension that i built for my company employees,
we have our own instance of google apps #ourcompany.com
I have a gae app that tells the extension that it needs to be updated but the actual update process has to be done manually.
is there a way where i can do this update automatically once it's available?
You should publish your app to Chrome Web Store, and enjoy the auto-update process it offers, unless it's impossible due to CWS policies or packaging complications like Native Hosts/NPAPI.
When you do, you have an option to restrict installs to users of your Google Apps domain.
There are legitimate cases when you don't want to migrate over to CWS.
If you have a way to force install of your extension (ideally via Group Policy) and not concerned by tightening of security for Windows, you can just use update_url field in the manifest.