I want to build a Chrome Extension for the Developer Tools that watches for changes a given folder and refreshes/updates the CSS/JS/image files in the browser.
There is a similar approach already:
http://tin.cr
Tin.cr uses NPAPI which is not sandboxed and has some security issues, so I can't use it in some dev environments where company polices have strict rules (specially in the financial industry).
Another approach is to use NaCl (Chrome's Native Client, which is sandboxed).
I am a front-end dev, with little knowledge in C, so I need some help, please.
How can I watch/monitor file changes in libuv? If someone could provide a code snippet I would greatly appreciate it.
From what I understand from the docs, libuv would allow the extension to work cross-platform, am I wrong?
Thanks
NaCl doesn't have an API to watch changes in a given folder on disk. Can you use Google Drive? Google Drive has an API for getting list of changed files: https://developers.google.com/drive/v2/reference/changes/list.
Related
We have a static website, we outsource the website maintenance, we don't have source code repository, so contractor edits the code on production server directly.
It has no problem, as our website built decades ago with old school html4 only. What it store on the web server, is what the source code is.
At today, the web site can be composed by UI framework, eg. Vue, React....etc. Sometimes the HTML file contains web components and other JS module. I have done a little google to learn that, building a website today need NPM, NodeJs, Webpack, Gulp....etc, they manage js module and bundle / built the production code...
My problem is, we like to revamp our website with modern UI (HTML5, CSS3, mobile friendly...). The tools I just mentioned will "process" the source code and output production code. We don't have the source code server (eg. git server), for our contractor to store the source code. ( our company management doesn't allow us to purchase private repository services on the internet. eg..github, gitlab...etc).
Can I keep using the old school way? the source code on the production web server is always the only source code...
I have tried myself to using the require.js, it loads js module on the browser, so I can handle module loading without node.js and Webpack, and writing the web component in vanilla js. Is it the only solution I can do?
You certainly could continue to manage this site the "old school" way, but in doing so, you'll be ignoring the benefits that all the modern tools give you.
For example
no git (or other version control) means no rolling back changes (or errors)
using version control software also means you have a backup and you don't need to set up a backup scheme on the production server to save your files
editing on the production server means if someone makes a typo, the site is messed up; etc.
I would strongly recommend modern tools; if cost is a concern, consider free tools:
Bitbucket has long offered free private repositories; Github has recently also started offering them.
Tools such as Hugo, Jekyll, and others permit creation of static sites quickly and easily.
Edit in answer to some of the comments...
Switching to a more modern development workflow (including version control) is not just about saving money, it's also about:
Does the employer/client want their developer(s) spending a lot of time managing the site - possibly including fixing problems - or do they want them working on something else?
Is the employer/client willing to have periods of time when the site does not work correctly? As #birdspider mentions in the comments above, if you have multiple people working on the website on the production server, they're going to be messing up each others' work. Note that the use of a VCS helps avoid avoid some of the problems with people stepping on each others' toes and it also make fixing those conflicts so much easier.
If you approach the employer/client with these points and their answer is "we just don't like it", then there's probably not much else you can do. If I were in your shoes, I'd be strongly tempted to either a) implement something on my own (just to preserve my own sanity, although really this is probably not a good idea) or b) find a new job.
I am about to begin the process of creating a Windows-based utility app to manage localized expressjs server that will utilize a graphical Windows based application to manage some of the features of this service
however before I begin I would like to speak with the community to try to get some advice Advice on how to properly protect the code since it will all be node JS bees I need to make sure it’s protected and some of my initial reading online seems to show that using electron by not be the most Safeway saw that being said how are you guys handling this to keep node JS these code protected with electron and in my case On windows environment
Any advice would be greatly appreciated much thanks
tl;dr You can and it is not worth the effort. Just pack your source into an asar file, it keeps most people away from it.
Long answer:
Use the asar option when building your app.
Obfuscate the code with an uglifier.
Use WASM
Language bindings to grab your data from a compiled format
neonjs for Rust
edge-js for C#
N-API, NAN for C/C++
Otherwise, your files are scripts, all these steps only slow down an attacker (tactic of many defenses), but they will not prevent them from accessing them. The devTools are fairly easy to get opened and people will be able to read the code in some way, shape or form. And if someone gets your obfuscated code, it is simple to reconstruct what is happening (see here for reference: https://www.youtube.com/watch?v=y6Uzinz3DRU)
If you want to protect yourself from code manipulation, there are better ways to do it, like Hashing, Context Isolation etc. Electron has a whole chapter on the matter.
https://github.com/electron/electron/blob/master/docs/tutorial/security.md
Small Update (2020):
I've seen this library a few weeks ago and thought it would show a nice way to further obfuscate the code from being read by external parties
https://github.com/OsamaAbbas/bytenode
The basic idea is to compile the JS into bytecode for V8. This works very well for Electron and is definitely a hurdle not everyone will get over. But, this will not protect your code from being turned back into readable JS. It's just another layer of protection to make it more difficult.
This question is pretty short and self explanatory. I'm wondering how I can run my Chrome extension in NW.js.
I know you can run an app in NW.js and I think you can run extensions as well?
I can't find much on the topic. Back in 2013 the way to do it seemed to be:
nw [path to manifest.json] --load-extension
Any ideas are appreciated!
Yes you can.
First off, download the extension you want. For this example I'll be using this debugging tool, which adds an additional tab in the dev tools window.
Inside your NW.js package.json file, ensure you have an entry called chromium-args.
Ensure its value contains --enable-extensions --load-extension=relative_path_to_extension_manifest.
My package.json looks like this:
After restarting the application, the extension shows up as expected:
Something I'll add is that the full Chrome API might not be available to you. I couldn't find info about what NW.js supports, but Electron definitely does not support the entire API, so this might have similar restrictions.
I also noticed you mention in the comments that you need to assign a hotkey of sorts. I'd need to know what you were trying to do, but essentially you have the option of either using a browser mechanism such as addEventListener('keydown', myHandler) or using the NW.js API depending on your exact needs.
first things first , i have seen nwsnapshot. and its not helping.
i am building an inventory management system as a desktop app using node-webkit . the project being built is using compoundjs (mvc javascript library). which have a definite folder structure (you know mvc) and multiple javascript files inside them.
the problem is nwsnapshot allows the app to have only a single snapshot file but the logic of application is spread over all the folders in different javascript files.
so how do i secure my source code before shipping it to client? Or any other work-around Or smarter way (yes, i know about obfuscating).
You can use nodewebkit command called nwsnapshot to compile the javascript code into binary which will be loaded into the app without specifying any js file
nwsnapshot --extra-code application.js application.bin
in your package.json add this:
snapshot: 'application.bin'
It really depends on what you mean by "secure".
You can obfuscate your javascript code fairly well (as well as potentially improve performance) by using the Google Closure Compiler.
I'm not aware of any off-the-shelf solutions to encrypt/decrypt your javascript, and honestly I would question the need for that.
Some people think they need to make it impossible to view their source code, because they're used to dealing with compiled languages where you only ship binaries to users. The fact is, reverse-engineering that binary code was never as difficult as some people think it is, so if there's any financial incentive, there is practically no difference between shipping source code and the traditional shipping of binaries.
Some languages have offered genuine encryption of deployed assets, such as Microsoft's SLPS. It seems to me that the market for this was so small that Microsoft gave it to a partner (just my view). The truth is that most customers are not interested in taking your source code; they're far more interested in your ability to service and support that code in an efficient manner, while they get on with their job.
You may consider to merge the JS files into one in the build process and compile it.
I'm a complete Node noob, so I apologize if this question has an obvious answer.
I'm looking to create a web app that will run plugins from untrusted sources (i.e. community submissions). So I need to lock down those plugins into a sandbox where only certain access is allowed (can't write to disk, etc.). Ideally, the plugin would only be able to use certain approved node packages and APIs.
Is this possible in Node? If so, can you point me toward a package or documentation that will get me started?
Here is a small list of projects that can help you:
https://github.com/gf3/sandbox
https://github.com/hflw/node-sandbox
https://github.com/bcoe/sandcastle
https://github.com/wearefractal/boxy
I suggest the first one (sandbox) since it's more mature.
I would also contribute to the list with my library: https://github.com/asvd/jailed. In addition to the sandboxing of the untrusted code (in a restricted subprocess), it gives an opportunity to export any set of functions inside the sandbox thus defining a custom API for the sandboxed code.