How to hidden install extension? - google-chrome-extension

Is there a way to install a crossrider extension on a user's computer without letting him/her know it? My website requires this when a user click on a "set as homepage" link.
Thanks for any help.

Changing the user's home page is generaly concidered as a very annoying thing to do. You can look at this previous discution.
Installing an extension without warning the user is not possible in a normal way because of obvious security reasons. When you know what kind of things you can do with google extension, it's better like this. It should be a huge problem if an extension can install himself without warn and send your password or personnal information like your bank credentials...

Related

Installing and enabling external Chrome extensions

I'm developing a Chrome extensions that would be installed simultaneously with a desktop app, as an "external extension" as the docs call it. But I believe the extension would be disabled, and users would need to manually enable it. It's inconvenient to do this and not at all obvious how (at least to users not very familiar with extensions).
Is there a way to automatically enable the extension, or make it very easy for users to manually enable it? This was asked in the comments on this other stackoverflow question, but no one had an answer.
Another issue is that I think Chrome has to be restarted for the extension to be installed at all. This is obviously very disruptive from a user perspective. Is there a way around this?

Can content inside a sandboxed iframe be read/spied by browser extensions? if not should I use iframe to secure user credentials?

Apart from all the other typical security best practices I'm wondering about this, since I lately read some articles talking about how browser extensions can spy anything their user does. So that we shouldn't trust them.
Therefore in order to give users and additional layer of protection should I process all users credential and sensitive info inside an iframe inside my webpages?
Can content inside a sandboxed iframe be read/spied by browser
extensions?
Yes
Could I use iframe to secure user credentials?
Quick answer, no.
When a user installs a chrome extension the extension can do basically anything in the website to access the user credentials. The extension has also access to the iframes that the page generates.
My proposed solutions to overcome this two issues and keep the website feel "secure" are the following:
If the end goal is to secure the content that your user will put in the website, and by no mean you want to let the user put content if there are other kind of extensions running in the page, what you can put is some kind of pop up in the page blocking the access to the user until he is accessing the website without extensions.
Another solution you could propose to the user is to go incognito mode, as there are many options to disallow extensions in incognito without having to force him to uninstall all of the extensions that he has on his browser. This could also make less users leave your page, as if you force him to uninstall of the extensions on his browser it might make him leave your page if it's not a clear enough reason for him.
If you do know which are the extensions that shouldn't be blocked or prevented because they are harmful or known to have some kind of shady behaviour, what you can do is checkout if the user has them installed with this solution Checking if user has a certain extension installed and then print a message to him saying he can't continue until he uninstalls those extensions.

Can my chrome extension open a link in a different profile?

I use two different Chrome profiles (users) on my laptop: one for my work stuff and one for my personal browsing.
Sometimes I click a link from HipChat and it opens it in the personal profile even though it's for work (e.g. login.work.com). (This is because I happen to have been in my personal chrome window most recently.)
I'd like to make a chrome extension I can install in my personal profile to match the URLs of *.work.com and send these over to the work profile window.
I haven't found a way to open a url into a different profile. Anyone know of a way?
(A hacky idea I got from reading https://superuser.com/a/289618 is maybe I could shell out to something along the lines of google-chrome --user-data-dir=$work_profile, but I'd be happier if there was a JS API and I didn't have to ask permission to run programs on the user's computer.)
Dropping an answer in case it's still useful to anyone.
I built my chrome extension CopyTabs (https://chrome.google.com/webstore/detail/copytabs/obkbjogekcjalnaebheboejhfkamadkg) to do something similar. It is able to open links, current tabs, selected tabs or windows, in the current chrome user profile, another chrome user profile or another browser entirely.
I made use of chrome.exe --profile-directory="profileName" to open URLs in a selected profile, but this has a handler that runs on the user's machine, with profileName being the internal name of the chrome profile, for example --profile-directory="Profile1" instead of --profile-directory="My Name As Profile".
So to answer your question, no I don't think there's anyway around a local handler on the user's machine to achieve this functionality.
Though the question is an old one but maybe someone is looking for an answer.
In the new versions of chrome when you right click on a link, in the pop-up menu, there is an option to open the link in another profile. For this to work, ofcourse, there need to be multiple user profiles in Chrome.
Works like a charm!
Hope it helps.
There is no solution for this. It would need a handler, a separate program, that captures the URL before it reaches Chrome, parses your preferences for which URLs go to which profile and then starts the specified Chrome installation with specified profile flags.
However, afaik, such a program does not exist (at least on Windows).
Further, Chrome cannot even select which profile out of many is selected, when Chrome is started from the OS "call URL to be opened" function and NOT started by user-activated clicking on a Chrome application shortcut (with specific profile selection instructions).
Naturally, the latter works 100% wonderfully on Firefox, which has built-in profile selector after the browser has been started, and regardless of which method was used to start Firefox (user click on Firefox icon or OS pipe of "open URL" to Firefox).
So; no solution in Chrome.
I believe that Account Surfer should be able to do the things that you're looking for. Here's an overview from Windows store:
Quickly switch between accounts and browsers with Account Surfer.
Decide what account or browser to use when opening the link.
Read more:
https://dospolov.com/posts/handle-chrome-profiles-with-account-surfer
https://trello.com/b/QOLCmlg3/account-surfer-roadmap
Yes u can:
install extension like this https://chrome.google.com/webstore/detail/open-in-ms-edge/mjoebkkejejidnkfdekpbooceogbapnf
copy address of profile (for example: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory="Profile 2)
Insert it in settings of extension
profit
OR
Use Browser Chooser 2
The app finicky did the trick for me. You can check out this link for installation and configuration for the same.
Finicky example configuration

access chrome password manager

I am writing a chrome extension, and I want to find out if the built-in password manager has saved the password of a specific website.
I don't want to know the password, just to find out if there is one for this website.
do you have any ideas how can I do this?
There is no API to interact with the password manager.
There may be very hacky ways of inspecting the loaded login form, but I don't think you're looking for those.

Force users to uninstall chrome extension

I built a quick one-off chrome extension about a month ago during the SOPA craziness. Long story short, it unblacked Wikipedia, so that people who needed it could get some work done.
Once the blackout was over, I updated the app to no longer have any effects on any websites. I also modified it so it would put a console.log() saying essentially "The blackout is over. SOPA is still important, but you should uninstall this extension".
Unfortunately, a month later, I'm still showing that 90% of the original users have the extension installed. Certainly it doesn't have that large of a footprint, but as a developer I feel it's my duty to not let my extension become crapware on my user's computers.
Is there a way to forcefully uninstall a chrome extension? Is there some way that would be unintrusive to the user that I could inform them that they should uninstall the extension?
You can update the extension so that it requires the 'management' permission, and then use chrome.management.uninstall to make the extension uninstall itself.
In my opinion, there is no way in this situation. Unless
If your extension makes a request to a server that you can access, such as a web service from you, maybe you can send an alert to your users.
If auto update is enabled in your extension, you can update your extension. In your updated version, you can show users an alert (shouldn't be a real javascript alert. Some kind of alert) to uninstall your extension.
If auto update is enabled, you may update your extension to do nothing. Just a console.log message.

Resources