Is it possible to retrieve the computer name when developing a Chrome Extension, for example "Jenny-PC"?
At first glance I did not find the API, but maybe I missed something.
If you are quite the daredevil, you could try to extract that info from a NPAPI plugin. This is quite dangerous, as you can read more about on the chrome extension site
No directly, for security reasons extensions can't access OS services.
But, hacker way, you may find some odd way to get what you're looking for.
If your extension has file:// permission, it can read system configuration files.
If you can get the user drop some file containing the name you want on some receiver in your extension's page, you can read it with HTML5 FileReader object.
If you can get the user download and execute some script you wrote (for example a .bat in Windows), it can grab that name and send to the extensions in various ways:
- writing it in a file the extension can read
- executing something like
"c:\chrome install folder\chrome.exe" chrome://extensions/yourextensionkey/receiver.html?name=thenameyourellokingfor
About file:// permission
Chrome Web Store doesn't allow uploading nor publishing extensions with such permission. But the extension works if you install it as a developer, or as .crx .
I'm not sure, but I think you can upload it to Chrome web store modifying it, in order to ask for permission.
Related
I just wrote a chrome extension which adds a tab to devtools that generates CSS selectors from sample elements on any page. I have set the "<all_urls>" permissions since I'll inject JS using content scripts in whatever page the user wants to select sample elements. I just paid $5 to Google and as I was in the process of publishing the extension to the chrome extensions store, Google warned me it may take several weeks for my extension to be approved because permissions are too broad.
According to Google, I may not need to declare any host permission if I declare the activeTab permission. Not sure if that applies to my case, but most importantly, I have no idea whether I may actually need additional permissions since no warnings will be shown when my extension is unpacked (I understand that to mean no warnings will be shown and the extension will be allowed to run any code regardless of any missing permissions), which is how I'm testing it.
Google then suggests packing the installed extension in order to see the warnings, but then I won't see any warning because the extension won't run. So I don't seem to have any way to know whether I actually need the "<all_urls>" permission or whether I need any additional permission other than testing my luck by publishing it and waiting several weeks to see what happens, and repeat this process until I come up with the minimum required permissions, so I wonder if anyone knows a better alternative.
Permission warnings are shown by the browser before an extension is installed. They list the API and host permissions. These warnings don't influence the functionality of the extension.
To view these warnings you can run the following in devtools console opened on any of your extension pages (i.e. not in content scripts):
fetch('/manifest.json').then(_ => _.text()).then(_ => chrome.management.getPermissionWarningsByManifest(_, console.log))
To view the permissions of any installed extension, unpacked or from the store, open chrome://extensions page and click the details button on that extension's card.
The circled part is for API permissions. Site access below lists the host permissions, which are displayed in simplified form when an extension is installed in the web store e.g. <all_urls> would be "Read and change all your data on the websites you visit".
The exact text of each permission warning is also listed in the documentation.
Your extension uses <all_urls> which means broad access and the slow manual review queue. As suggested, you can try to use activeTab permission instead of <all_urls>. In case it won't work, open a new report on https://crbug.com because the old one was abandoned. Also, try using chrome.devtools.inspectedWindow API that provides eval method that is similar to chrome.tabs.executeScript and might work with activeTab. Note, it's not related to JavaScript eval.
I may be a bit of paranoid when it comes to installing chrome extension that request access to all my tabs and data. While a extension may be safe for the moment, a simple auto background update can make it a malicious virus and you won't even get notified about updates.
I would like to specifically whitelist all my extension to access the content pear webpages bases. Is there any such tool out there already (natively perhaps) before i start hacking my own extension to control it on my own.
That would leave me to my next question. Extension can be a bit secured running sandboxed environment and have no access to the "real" filesystem (not the virtual sandboxed filesystem) but could i write a NaCl plugin and have have full access and change the manifest file to change the content_scripts settings? if so, could you point me in the right direction?
I'm not sure to understand clearly your question, but let's calrify some things about extensions and how they can be dangerous:
First: If an extension updates and want to have new authorisations, Chrome will warn you and you can choose if you want it to be updated
Second: Chrome sandboxes extensions running on your computer
Third: The only authorisation that may represent a real danger for your computer are the ones requesting authorisation to "Access all data on your computer"
.
.
.
If you are really worried that some extensions may represent a danger for you (and I understand you), you can restrict them to run on specific webpages by doing the following:
1. Go to the extensions folders [C:\Users(YOUR USERNAME)\AppData\Local\Google\Chrome\User Data\Default\Extensions(APPID)] and open the manifest.json file with any text editor
2. In "content_scripts" declaration, in "matches", specify sites where the extension will ONLY work on [ex:*://google.com/* will make extension be active ONLY for google.com]
You can even be more precise and set specific URLs/HTML pages (see more: https://developer.chrome.com/extensions/match_patterns)
Hope it helps!
If it doesn't, please clarify your question again.
I am trying to write a chrome extension that initialize some parameters from a config file.
I would like to allow the extension to change those parameters and save them to the file so that the next time the extension was loaded it uses the new configuration.
I have been reading the chrome.filesystem api but it needs the interaction of the user to choose the file. However in this case the process must be done automatically without any action of the user.
Since this configuration file will be only accessed by the extension it could be sand-boxed but It must be persistent even if chrome is closed.
I manage to read the file using an XMLHttpRequest but I could not find a way to modify the file.
Is it possible to do this from a chrome extension?
This is an old question but unfortunately the only response it got was wrong.
It's definitely possible to read and write files using HTML5 in Chrome, without the vague "security" issues mentioned. The HTML5 Filesystem creates a protected sandbox in which you write and read virtual files: you can think of it as files being written in file based database managed by Chrome and not accessible by either other Chrome apps & extensions or other OS based applications. The user won't be able to copy or move these files using his OS file explorer since they reside inside the web browser's file DB.
You can't read (or write) arbitrary files from (to) disk based on any given file path.
If you need a file from disk you can only let the user select it himself by using chrome.fileSystem.chooseEntry()
You can however read (and write) your own files from (to) the HTML5 Filesystem.
So to answer your question: no you don't need user interaction to write your config file to the browser's file system.
An alternative to files could be chrome storage, localstorage or even indexedDB to store your (persisted) config key-value pairs.
Here are a couple of useful links to start reading about it:
Toying with the HTML5 filesystem
HTML5 Rocks
HTML5 demos
I imagine allowing a chrome extension to write to config files without the user knowing could be a bit of a security problem. You're probably hitting up against a security feature. A potential work around is to build a desktop application that is always on, and your chrome application communicates with it. Heck, you might able to do what you need to (without knowing all the details) with something like autohotkey.
I looked into very many Google Chrome extensions and apps in order to find one that matches the following requirements:
runs in a Google Chrome tab
editor for any code, PHP, CSS, HTML
can load and save files (on my computer) and create new ones
works with local files on my computer
Is there any? kodingen, cloud9, shiftedit does not seem to make it on the localhost.
Maybe SourceKit will do?
SourceKit is an extension to your Google Chrome browser which runs in a separate tab. The files are stored in your Dropbox account, so not only can you access the files from your computer - you can access them from anywhere! It uses syntax highlighting like Notepad++ for a limited number of languages (you said php, css, and html - they are all supported). It can load, save, and edit text files locally on your computer if you install the Dropbox Desktop Application. This will also synchronize the files with your online account and thereby make them accessible from anywhere in the world.
That sounded more like a salesman's advertisement than intended.
Both Dropbox and SourceKit are free.
There are four catches as far as I can see:
Dropbox "only" offers 2GB for free, however, you can upgrade at any time if you're willing to pay.
Dropbox Desktop will only synchronize one folder (and all of its contents), but that's really not any different from a web site.
SourceKit will not debug your code, but will it highlight wrong syntax(only for certain languages).
EDIT Does not work offline.
I've tried it out, and it works well.
Sympathy Editor
Sympathy uses the npapi-file-io plugin mentioned in an answer above to allow you to edit local files.
Pros
Allows you to edit local files
Full syntax highlighting
Bookmark local files for easy access
Cons
Uses npapi plugin to read files, which means it has access to all your data
Unavailable on Chrome Webstore
Still under development
Only works on linux/windows as of the moment (not in mac)
If you are interested, you can see the README, or Manual on github.
Disclosure: I'm the primary developer of the extension.
Don't any of these extensions you have mentioned work with the file:/// protocol? They will work for the http:// protocol only if you are going to edit files inside your local webserver.
Instead of writing http://localhost/(...) you write file:///(...), where (...) is the full path.
In UNIX systems it is file:///home/jens/file.txt. In Windows it should be file:///C:\(...).
#Berk Demirkir may be right.
Here are the resources I found that may be of use;
32 Google Chrome Extensions For Smart Designers
Chrome Web Developer Tools No. 7 on the above list
There's no extension for editing local files.
But you can write one!
Acesses to local filesystem cannot be done using Chrome's Extension API.
But you can use HTML5's File API (which is draft) or Local Storage. If none of these storage methods sufficient for you, you can build a NPAPI Plugin. Chrome supports NPAPI Plugins. There's also a project called npapi-file-io in Google Code which aims to access local files from Google Chrome Extension context.
Edit:
Now, there's one usable editor, Symphaty. You can use Capt.Nemo's Symphaty editor.
Edit 2:
NPAPI plugins are phased out from Chrome since version 42. The only alternative would be to use a wrapper native app and communicate using Native Messaging API.
ShiftEdit can be used to work locally, you will need to have XAMPP or equivalent installed.
I am thinking about having the following use-case:
User installs application on local machine.
User goes to our website, and are presented with many links (choices).
User clicks on a link.
Application starts, with some information contained within the link passed to the application.
Step 4 is obviously a security minefield. The end goal is that the user makes a choice, and if the application is installed, it starts with some information passed to it (ie command line parameters, or perhaps a temp file somewhere on the user's machine)
Can I/ Should I access the registry from javascript? Are there any ideas about how I might go about this? Do you have an alternative suggestion?
Assuming the applications the user installs are also developed by you.
Register a file extension for use by the specific application - then your web links can be links to a file that is downloaded and auto-run by your app. The file could contain details on the defaults for your app to use.
Sort of like how clicking on a .pdf file opens your pdf reader.
As an alternative to the file-extension solution you may want to know about Custom Application Protocol feature. Link is for Windows but there are nearly same techniques on other systems. I can't say if this approach works in every browser but you may want to try it out.
Accessing the registry from JavaScript inside a browser is nigh on impossible for the security implications. To access the registry from the web, I'd imagine you'd have to use a binary (C++ or others) program that can read the registry, but also has an HTTP module to communicate with your server.
Sounds like you might need the Click Once deployement feature for your app. I think once it's installed over http there should be a pretty easy way to launch an executable.
http://en.wikipedia.org/wiki/ClickOnce