I may be a bit of paranoid when it comes to installing chrome extension that request access to all my tabs and data. While a extension may be safe for the moment, a simple auto background update can make it a malicious virus and you won't even get notified about updates.
I would like to specifically whitelist all my extension to access the content pear webpages bases. Is there any such tool out there already (natively perhaps) before i start hacking my own extension to control it on my own.
That would leave me to my next question. Extension can be a bit secured running sandboxed environment and have no access to the "real" filesystem (not the virtual sandboxed filesystem) but could i write a NaCl plugin and have have full access and change the manifest file to change the content_scripts settings? if so, could you point me in the right direction?
I'm not sure to understand clearly your question, but let's calrify some things about extensions and how they can be dangerous:
First: If an extension updates and want to have new authorisations, Chrome will warn you and you can choose if you want it to be updated
Second: Chrome sandboxes extensions running on your computer
Third: The only authorisation that may represent a real danger for your computer are the ones requesting authorisation to "Access all data on your computer"
.
.
.
If you are really worried that some extensions may represent a danger for you (and I understand you), you can restrict them to run on specific webpages by doing the following:
1. Go to the extensions folders [C:\Users(YOUR USERNAME)\AppData\Local\Google\Chrome\User Data\Default\Extensions(APPID)] and open the manifest.json file with any text editor
2. In "content_scripts" declaration, in "matches", specify sites where the extension will ONLY work on [ex:*://google.com/* will make extension be active ONLY for google.com]
You can even be more precise and set specific URLs/HTML pages (see more: https://developer.chrome.com/extensions/match_patterns)
Hope it helps!
If it doesn't, please clarify your question again.
Related
Background
I've been using the crx-hotreload package to auto-reload my chrome extensions during development because it's annoying to have to click the refresh button on the Extensions page every time you make a change; however, this package doesn't work with MV3 because it uses the chrome.runtime.getPackageDirectoryEntry method, which seems to have been removed from chrome.runtime in MV3. I can't find documentation to confirm that it was removed, but it's not there when I try to use it.
Questions
Does anyone know how to get access to all the files in the extension directory in Chrome Extension Manifest Version 3?
Or generally, is there a better way that I can hot-reload my chrome extensions during development that would work for MV3?
This is one of many things based on DOM capabilities of background pages that are removed from ManifestV3 because service workers don't have DOM. For example, getPackageDirectoryEntry is using the old nonstandard FileSystem API in its returned value.
As to why, apparently the switch to service workers simplifies the internal source code in Chromium, even if it doesn't provide any real improvements for extension authors or users.
At this point all you can do is present a convincing use case and ask Chromium developers via https://crbug.com to implement an alternative API.
I just wrote a chrome extension which adds a tab to devtools that generates CSS selectors from sample elements on any page. I have set the "<all_urls>" permissions since I'll inject JS using content scripts in whatever page the user wants to select sample elements. I just paid $5 to Google and as I was in the process of publishing the extension to the chrome extensions store, Google warned me it may take several weeks for my extension to be approved because permissions are too broad.
According to Google, I may not need to declare any host permission if I declare the activeTab permission. Not sure if that applies to my case, but most importantly, I have no idea whether I may actually need additional permissions since no warnings will be shown when my extension is unpacked (I understand that to mean no warnings will be shown and the extension will be allowed to run any code regardless of any missing permissions), which is how I'm testing it.
Google then suggests packing the installed extension in order to see the warnings, but then I won't see any warning because the extension won't run. So I don't seem to have any way to know whether I actually need the "<all_urls>" permission or whether I need any additional permission other than testing my luck by publishing it and waiting several weeks to see what happens, and repeat this process until I come up with the minimum required permissions, so I wonder if anyone knows a better alternative.
Permission warnings are shown by the browser before an extension is installed. They list the API and host permissions. These warnings don't influence the functionality of the extension.
To view these warnings you can run the following in devtools console opened on any of your extension pages (i.e. not in content scripts):
fetch('/manifest.json').then(_ => _.text()).then(_ => chrome.management.getPermissionWarningsByManifest(_, console.log))
To view the permissions of any installed extension, unpacked or from the store, open chrome://extensions page and click the details button on that extension's card.
The circled part is for API permissions. Site access below lists the host permissions, which are displayed in simplified form when an extension is installed in the web store e.g. <all_urls> would be "Read and change all your data on the websites you visit".
The exact text of each permission warning is also listed in the documentation.
Your extension uses <all_urls> which means broad access and the slow manual review queue. As suggested, you can try to use activeTab permission instead of <all_urls>. In case it won't work, open a new report on https://crbug.com because the old one was abandoned. Also, try using chrome.devtools.inspectedWindow API that provides eval method that is similar to chrome.tabs.executeScript and might work with activeTab. Note, it's not related to JavaScript eval.
We have authored a Chrome extension and would like to ensure that our extension does not at any time participate in being sync'd using Google Account synchronization, even if the user has specified in the Advanced sync settings dialog that extensions be sync'd. Is there a way to prevent this sync'ing on a per-extension basis? Is there some setting we could place in the extension manifest file to accomplish this? Or other way to accomplish this?
If that is not possible, can we force the Extensions checkbox to always be unchecked and unalterable by the user, using enterprise-level techniques such as Group Policy Update? This is not optimal, since we only want to stop the sync'ing of our extension, and not prevent sync'ing of all extensions.
We do see that the SyncDisabled policy registry setting is available to us, but that looks like it will disable ALL data synchronization including Apps, Extensions, Settings, History, etc. This is even less desirable to us, since we don't want to affect other synchronization -- we just want to prevent only our extension from being sync'd.
The use case for this involves the following:
A corporate user installs Chrome on his work computer. Our extension is useful in the enterprise environment and is installed on Chrome.
At some point, using the Chrome browser, this user logs into his personal Gmail account. He has set up his Google Account to turn synchronization on.
Now when this user, using his home computer and Chrome browser, logs in to Google, he will find that our extension has also been installed on his Chrome browser at home -- this is not desirable, since our extension has no usefulness in the home environment. Moreover, the user may consider the presence of our extension an unwanted intrusion into his home computing environment.
The only remedy for this user would seem to be that he could go to the Advanced sync settings and uncheck the Extensions checkbox, but then he would lose the benefit of extension sync'ing of other extensions, which he may want.
Well, if you're doing it in a corporate / managed environment, you don't need to publish your extension on Web Store at all (thus preventing the sync) if you can use Group Policy.
Any extension in ExtensionInstallForcelist will be installed even if it (and its update manifest) is hosted outside Web Store. This will prevent the extension itself from syncing (though will probably still allow chrome.storage.sync to function for it, which is a plus).
Other than that, I don't think there's a way to prevent an individual Store-hosted extension from syncing.
Chrome extensions can interfere with how a site is rendered and/or its behavior. This introduces unnecessary states and potential sources of errors.
So: Is there a way to disable all Chrome extensions for visitors of a certain website?
I dont think such API exists (we are taking about webiste scripts, right?) However you could determine if specific extension installed and update your code accordingly. Check this topic how to do this.
Even better and actual topic if you are fighting with adblock plus ;)
The best way to handle so far is to disable Extension sync in that specific browser.
Steps to follow:
https://superuser.com/questions/528014/how-to-disable-chrome-extensions-without-disabling-them-across-multiple-synced-d
.
As the question says, can an extension save files to a user-set location for all future downloads (that differs from the download location set in preferences)?
If so, how would this be done?
Thanks
See this issue for a lengthy discussion on the matter. Per the last qualitative entry on 8.10.2012:
The downloads ui is a very sensitive part of chrome from a security
perspective, so it is unlikely that we will ever be able to allow
extensions to completely replace chrome's downloads ui. We have plans
to allow extensions to extend chrome://downloads in a limited and
safe way, and extensions may add browser action buttons, but
replacing the downloads ui entirely is not likely in the foreseeable
future. Witness the search engine hijacking security issues. With the
--disable-downloads-shelf flag, extensions could suggest that users set that flag.
Please also feel free to write a download manager extension as a
browser action to demonstrate a better ui. If a download manager
extension gains sufficient popularity, we may consider adopting
something like it as chrome's native downloads ui. That's a more
likely way that extensions could replace the ui, but slower and safer.
My guess is that you can't. It would be a security issue if plugins had such abilities.