I'm creating a voting system in my extension and if its possible I would like to add captcha to restrict people from voting again.
Yes, it's possible.
It depends on where exactly in extension (content script, popup view or some custom page) you will have voting component, but in general, it's like a regular web application.
Related
As an end user, I would like to restrict the extensions to run only on certain domains. Like an extension that needs to enhance gmail, to only trigger on mail.google.com.
I am reposting this question from Limit Chrome Extension to certain URLs?
The OP wanted it for extension developer. But as an end user, I wanted this for protecting myself from rouge extension or just to make the page load faster without triggering all the extensions.
I found that the original post had the answer for this at https://stackoverflow.com/a/53315464/1500545
since the OP's need was for developers, I was not highly upvoted. Will post the answer here and accept it.
credit: https://stackoverflow.com/users/167897/wernight
As a user, with Chrome 71 (or maybe even before) with chrome://flags/#extension-active-script-permission (you may need to enable User consent for extension scripts flag) allows you to right click extension icons and select "This can read and change site data" then you can choose:
When you click the extension
On current-domain-name.com
On all sites (default)
I should note, I'm not a chrome extension expert. However, I'm looking for some advice or high-level solution to a security concern I have with my chrome extension. I've searched quite a bit but can't seem to find a concrete answer.
The situation
I have a chrome extension that needs to have the user login to our backend server.
However, it was decided for design reasons that the default chrome popup balloon was undesirable. Thus I've used a modal dialog and jquery to make a styled popup that is injected with content scripts.
Hence, the popup is injected into the DOM o the page you are visiting.
The Problem
Everything works, however now that I need to implement login functionality I've noticed a vulnerability:
If the site we've injected our popup into knows the password fields ID they could run a script to continuously monitor the password and username field and store that data. Call me paranoid, but I see it as a risk. In fact, I wrote a mockup attack site that can correctly pull the user and password when entered into the given fields.
My devised solution
I took a look at some other chrome extensions, like Buffer, and noticed what they do is load their popup from their website and, instead, embed an iFrame which contains the popup in it. The popup would interact with the server inside the iframe.
My understanding is iframes are subject to same-origin scripting policies as other websites, but I may be mistaken.
As such, would do the same thing be secure?
TLDR
To simplify, if I embedded a https login form from our server into a given DOM, via a chrome extension, are there security concerns to password sniffing?
If this is not the best way to deal with chrome extension logins, do you have suggestions on what is? Perhaps there is a way to declare text fields that javascript can simply not interact with? Not too sure!
Thank you so much for your time! I will happily clarify anything required.
The Same origin policy does indeed protect the contents of the iframe from the main page.
However. There's no way for the user to know whether the iframe in the page belongs to your extension or not. A rogue page could copy your design and impersonate your extension, and ultimately steal the credentials.
The only secure way to get the user to input credentials is through a separate window, popup or tab.
Chrome offers an API to open a window with desired properties, which should be sufficiently flexible to meet your design requirements. See this example, which is also about getting a credentials in a popup window: https://stackoverflow.com/a/10341102/938089
Is there any good reason why I can't use two of them together?
browser_action
page_action
app
I can't think why single extension can't use browser and page specific actions together. Why should I have to write single extension for each action ...
For a browser that boasts about its simplicity I believe that is the clearest explanation. To prevent clutter.
Packaged Apps is the easiest to explain as they are basically an alternative to Hosted Apps for developers that don't wish to host a service or wish to make their app fully integrated in to Chrome and/or work offline. However, since packaged apps are bundled as extensions this prevents them from adding anything to the browser's chrome since hosted apps don't have this ability.
Regarding the action choice, I can only imagine this restriction is to help prevent extensions from overcrowding the address bar and the toolbar with duplication.
In a lot of cases using badges and the onClicked event correctly can replicate a lot of the functionality of page actions in browser actions while using a combination of content scripts and message passing to trigger changes.
The StumbleUpon extension rotates its browser action's behavior depending on whether or not its toolbar is currently displaying.
Hi everyone
I want to develop a button like 'facebook like button'.
I am going to use it on my website and thinking it to share as iframe like facebook but I cannot think its securty because someone can develop a script that can click on it automatically.
I thought a solution using sessions but I couldn't make an algorithm completely.
How can I disallow autoclicks and which solution is the best? It can be any language I just want algorithm.
Thanks, have a nice day.
Edited :
Think a website like facebook. I login facebook and I can click on like button on any website.
Move to a new page and allow the logged in user to confirm that they were the ones who clicked the like
button.
I'm not sure that there's a surefire way to prevent clickjacking or the type of fraud you're referring to, given that you want to place your button in an iframe.
See http://ha.ckers.org/blog/20081007/clickjacking-details/ for more info.
You can't prevent this, once you have generated the like button, the button can be access directly.
You just can protect yourself using client side defence technologies like Comitari supplies.
They have a free product that protects you against ClickJacking and LikeJacking attacks.
I know Gmail has contextual and side-bar gadgets, but how do browser extensions such as Rapportive work? Are they injecting their buttons / displays into the browser page? If so, wouldn't the browser extension break if Google decided to change the way they layout the page?
Are they injecting their buttons / displays into the browser page?
Yes.
If so, wouldn't the browser extension break if Google decided to change the way they layout the page?
Probably.
The probably leverage some part of the Gmail Greasemonkey API and inject scripts into the page to use this.