I know that lastpass extension have a binary component to communicate passwords between browsers (to firefox and IE). What mechanisms can be utilized by chrome extension to communicate with other system processes?
Apparently there's a Native Messaging API coming soon.
Source
Chromium Commit
Youtube Video example
If you need to communicate with the system, then you have basically two options:
You can embed an NPAPI plugin, which, generally, is discouraged when not absolutely necessary (and even then :) ).
Your system process can run a web server with a well-defined API that your extension talks to. This ends up being message-passing writ large, but has the potential of being much more secure, since the processes can be independently sandboxed. WebSockets are pretty useful for this sort of thing, but a lot can be accomplished with simple HTTP requests to 127.0.0.1 via XHR.
Related
Chrome no longer supports NPAPI, so I need to rewrite my java-applet, e.g. as chrome extension.
Chrome community advices JavaScript API as alternative for access to OS features (see here)
Could you please point me, which exactly API allows to mount webdav disk?
OS access in Chrome apps/extensions is severely limited for security reasons so I think you'd be better off transforming your existing java code into a standalone application which will run in background and communicate with your Chrome extension via native messaging.
You most certainly need to do more research.
There is no feature parity between NPAPI and JS APIs. What's listed in the docs is the extent of JS API capabilities, and it's mostly sandboxed from real OS environment.
To replicate NPAPI capabilities, the closest alternative is (as wOxxOm's answer suggests) Native Messaging. Note that it is mentioned in the deprecation notice you quote. If you need to mount something on the host OS, that's your only option.
Chrome Apps have a different set of APIs available for them, which usually are less restricted in terms of sandboxing. For instance, r/w access to user-specified portions of host OS filesystem is possible.
Lastly, for the sake of completeness, there is a very specific fileSystemProvider API targeting ChromeOS only that allows you to do exactly that, provide a mountable filesystem from a Chrome App.
All that said, if you don'y need to present the WebDAV disk to the host OS but just manipulate some files within the extension, there are pure-JS implementations of WebDAV (not using any platform-specific APIs). It all depends on what you intend to do with the filesystem.
I have a NPAPI plugin for sign-in data on website.
I want to replace it by Native Messaging technology. I have read the documentation, but I have a question : Is this technology safe?
Can hackers catch data in transfer from JavaScript to native host app and back?
Edit: merging in a better-worded question:
How secure is stdio data transfer ?
Is there a way for man-in-middle attack for such data transfer ?
It is, in principle, possible to inspect stdio calls made by an executable.
For instance, on Linux systems, you can use strace for that purpose. I don't know a similar Windows tool, but it's conceivable that it exists.
That would be akin to attaching a debugger to the browser/native host itself, and can only be done by someone who has access to the local machine with the same user credentials or administrative access. In particular, the user running Chrome can do it - just like he/she can use Dev Tools to inspect and intercept the data at the JavaScript side.
So, yes, in principle that can be intercepted, but only by someone will full rights to execute/debug code on the system it's running on, and OS takes care not to allow normal users to inspect processes of other users in this way.
You realize, of course, that Native Messaging will ONLY work within the bounds of the machine: With native messaging the browser will communicate with your host application over stdin/stdout.
So what exactly is the problem here? If the Hackers are capable of listening to your stdin/stdout they are already on your machine - you've already lost.
Not really, sometimes hackers can find XSS in vulnerable site, then it may be possible to use Native Messaging to execute command on Victim system
So after developing an extension for a few hours, assuming that the chrome.socket API would be available to extensions, I load in my extension and I'm told that the Socket API is only available for 'Packaged Apps'.
Does anyone know what's happening, and whether extensions will get the feature (back, since I think they had access when it was in .experimental)?
From the Chrome docs:
Packaged apps can act as a network client for TCP and UDP connections.
No, extensions do not have access to the socket API, and they aren't likely to ever get it.
Your confusion is understandable, since what Google called "packaged apps" used to be nothing but glorified extensions with an icon on the home screen. However, Google is now driving a much wider divide between extensions and apps.
Extensions used to have a subset of the functionality the apps did, but now there is mutually exclusive functionality in each. Extensions are meant for enhancing normal Web browsing, whereas apps are meant to be used as stand-alone tools that do not interfere with normal browsing. If you look at the API lists for apps and for extensions, you'll see that the list is vastly different: apps have the powerful hardware- and OS-centric APIs like socket, usb, and bluetooth, while extensions have a monopoly on browser-centric APIs like tabs, cookies, and bookmarks.
I have a backend software that needs to be able to communicate with a gecko-based web browser (and vice-versa). What is the best way to realize this? Since HTTP is rather one-way (with the exception of e.g. reverse AJAX which I consider to be quite "hacky") I am wondering how to do this.
Would creating an NPAPI-based plugin be an option? Based on the data exchanged between the browser and backend, the browser needs to manipulate the DOM of a webpage. The manipulations need to be quite dynamic and communication speed is an important requirement.
I am glad for any help pointing me in the right direction or providing useful resources that might be worth reading!
Writing browser plugins isn't quite trivial, if you can use alternatives like WebSockets (or their emulations like web-socket-js, see here and here for more details).
Only if such alternatives don't give you enough control because of special requirements should you consider writing a browser plugin.
With it you would get the full benefits of native code (high control over whatever API you choose) but also the problems that come with it:
you have to start to worry about privileges
bugs can crash the whole browser
you might have to handle behavioral differences between platforms and browsers
you have to worry about distribution on multiple platforms
...
If you need the higher level of control for some reason you could
implement the connection handling of your choice in the plugin
let the JavaScript initiate connections and send data
let the JavaScript register handlers for incoming data etc.
on incoming data call those handlers and pass them the data
To get started with NPAPI plugins see here, to support IE too you'd have to write a content extension. Finally i would advise to take a look at FireBreath that already does much of the heavy lifting for you (hides the different APIs for IE and NPAPI, gives you a higher level API, fixes for browser bugs included, ...).
gud day!.
i am to develop a system that would simply list all URL accessed in a browser with its response time.
my probtion is alem is this applica standalone program(not a plug-in to a certain browser) written in c++. every time a user browse, the program then performs certain method.
so it is like, my program would listen to the browsers events. i dont know how to create an EVEN SINK implemetation for the above mention event in web browsers like Internet explorer, mozilla firefox and google chrome.
any suggestion, advise or idea i cant get from you for me to be able to start the development. any areas i need to focus in studying.
thanks alot for your time! hope for your response!:)
best regards!
The easiest way to achieve what you need is intercepting network traffic and extracting URLs from HTTP packets.
You can do this in many ways, e.g.:
using WinPCAP/libPCAP libarary
modifying LSP stack
intercepting winsock functions calls
If you're on the Windows platform, I think your best shot is using the MSAA interface, which is supported by all three browsers.
Documentation:
MSDN Overview and C++ API
Firefox statement of support for MSAA
Chrome
You could take a lower-level approach (such as an LSP), but they're much harder to debug.