I am currently trying to detect if a user has a certain Chrome extension installed. The Chrome extension is not my own and I do not have the source code to it. I have tried methods in numerous posts but they all fail. What I've tried and why it failed is detailed below.
This results in 'cannot read property connect of undefined' when executed:
var myPort=chrome.extension.connect('idldbjenlmipmpigmfamdlfifkkeaplc', some_object_to_send_on_connect);
Trying to load a resource of the extension as follows to test if it's there but going to this URL in browser results in 'your file was not found' Chrome error page (note that I found this path by going to C:\Users\\AppData\Local\Google\Chrome\User Data\Default\Extensions\idldbjenlmipmpigmfamdlfifkkeaplc\1.0.0.1_0\ on my Windows local machine):
chrome-extension://idldbjenlmipmpigmfamdlfifkkeaplc/1.0.0.1_0/icon_16.png
Using Chrome management but this results in console error 'cannot read property get of undefined' when executed
chrome.management.get("idldbjenlmipmpigmfamdlfifkkeaplc", function(a){console.log(a);});
And most other answers I've come across seem to involve the extension being written by the same person who is trying to check for it.
Assuming you need it from a website
connect/message method implies that the extension specifically listed your website in the list of origins it expects connection from. This is unlikely unless you wrote this extension yourself, as this cannot be a wildcard domain.
Referring to files within the extension from web context will return 404 simulate a network error unless the extension declared them as web-accessible. This used to work before 2012, but Google closed that as a fingerprinting method - now extensions have to explicitly list resources that can be accessed. The extension you specifically mention doesn't list any files as web-accessible, so this route is closed as well.
chrome.management is an extension API; websites cannot use it at all.
Lastly, if an extension has a content script that somehow modifies the DOM of your webpage, you may detect those changes. But it's not very reliable, as content scripts can change their logic. Again, in your specific case the extension listens to a DOM event, but does not anyhow make clear the event is received - so this route is closed.
Note that, in general, you cannot determine that content script code runs alongside yours, as it runs in an isolated context.
All in all, there is no magic solution to that problem. The extension has to cooperate to be discoverable, and you cannot bypass that.
Assuming you need it from another extension
Origins whitelisted for connect/message method default to all extensions; however, for this to work the target extension needs to listen to onConnectExternal or onMessageExternal event, which is not common.
Web-accessible resources have the same restrictions for access from other extensions, so the situation is not better.
Observing a page for changes with your own content script is possible, but again there may be no observable ones and you cannot rely on those changes being always the same.
Similar to extension-webpage interaction, content scripts from different extensions run in isolated context, so it's not possible to directly "catch"code being run.
chrome.management API from an extension is the only surefire way to detect a 3rd party extension being installed, but note that it requires "management" permission with its scary warnings.
Related
I want to develop a google chrome extension which replaces url to another if page is not available.I mean it responses
*The server DNS address of the example.com host machine could not be found.
*ERR_CONNECTON_RES
or same as these stuations.
I have searched how extensions work and found these extentions run after DOM is completed.But i believe that there is no impossible thing.
Is there a any code i can add to run the extension before DOM is completed to content.js.
You won't be able to work with just content scripts; those cannot be used on Chrome error pages.
So, you'll need a background page and some API event to listen to for the specific case of network errors.
webNavigation API seems to be a good fit, e.g. webNavigation.onErrorOccurred.
Is there a way to identify and block JS files/events that are not part of your domain?
Like assume, if I'm writing a extension for chrome and I put following code in my JS
$('div').on('click', function(){ alert("yup"); });
is there a way for a website to handle this case?
Edit 1:
After discussion with #Clive, I realized that all extension/application should run in sandbox and should not be able to access events/elements outside the scope.
Case
A chrome extension have a keypress event on input[type=text] and input[type=password]. Now this extension runs in background, so there JS files are always available. Hence if you open facebook and login to your account, this extension will capture data and can send it to its server.
My Case
Two user was getting alert messages multiple times. Initially we thought its a part of our code and checked all JS files. But then realized, both user had same extension and so we diagnosed that extension's JS file and found alert in it. Now we were lucky, no damage was done, but it still posses a possible security threat.
Short answer: No.
Long answer:
Chrome extensions run their code in a separate space from your site's code, so they don't interact at all. The best you could do is prevent DOM edits. Luckily chrome extensions already run in a sandbox and have to explicitly ask for permissions for the domains that they inject code in and those domains are all listed when you install an extension. The only other way for extensions to interact with a page is through the activeTab permission which is a one time allowance on a specific user action. If you are using an extension that you think is malicious, you can always just read the code since JS is naturally open source. It really all boils down to a matter of trust. Installing something is explicitly trusting that thing to not mess up your stuff. This applies to all programs. If you don't trust an extension, then don't install it. A sandbox can only prevent so much while still letting extensions do something.
Is it possible to detect via JS what extensions / add ons a user has installed on his browser? The use case was the a particular chrome extension, Autofill was setting some text values into hidden zip fields causing some validations to fail and I want to show a message to the user that this extension might create problems.
For Firefox: First snippet of code on: AddonManager.jsm - MDN
Components.utils.import("resource://gre/modules/AddonManager.jsm");
AddonManager.getAllAddons(function(aAddons) {
// Here aAddons is an array of Addon objects
});
// This code will execute before the code inside the callback
Must run this code in privelaged javascript, as in not a tab. You can try for specialPowers though I don't know how that works.
To run privelaged script from your site you will have to create a firefox addon and addEventListener's to your site, like a button to list the addons, you would attach a privelaged function to that.
With the addon you enable/disable addons, but users find that annoying because addons do some obtrsuvie stuff on install sometimes.
For Chrome extensions specifically, only certain extensions are detectable so this is not a very good method, but as far as I know, there are no longer any reliable methods to detect browser extensions.
For the extension that you want to detect, you would need its Extension Id and its Web accessible resource.
Some extensions have web accessible resources and some do not. If there is no web accessible resource, you will not be able to detect that extension.
To find the web accessible resource, you will need to look at the extensions chrome.manifestfile. It will tell you if there is web accessible content. For example, the chrome.manifest file might say:
content web-developer content/web-developer/ contentaccessible=yes
Generally, its not very effective to look for browser extensions since you have to know which extensions you want to detect ahead of time and many times they are undetectable.
Also, here's a good link that I used when I was trying to do the same thing here
NavigatorPlugins.mimeTypes
Take a peek at the MDN page
https://developer.mozilla.org/en-US/docs/Web/API/NavigatorPlugins.mimeTypes?redirectlocale=en-US&redirectslug=Web%2FAPI%2FNavigator.mimeTypes
Hope it helps
In JavaScript check to see if the zip field has been changed while it is hidden and show a warning to the user that an extension might be causing issues.
For Firefox you can do it with Mochitest/SpecialPowersAPI
https://developer.mozilla.org/en-US/docs/SpecialPowers
I see that enablePrivilege is deprecated in Firefox. I am trying to adapt my intranet code base to this.
The most critical place is assigning the 'view' of a 'tree' element. This requires elevated privs, though I really don't understand why. Is there another way to do this that does not require the elevated privileges? Will a way to do this be provided before enablePrivilege goes away?
The application is not an extension but a signed JAR file that runs as content.
Looking through bug 546848, Mozilla doesn't plan to allow websites with elevated privileges any more. This functionality introduces security risks that are simply not worth it (similarly to remote XUL in general). The proposed solution would be using a Firefox extension to do any special actions that might be needed. Ideally, you would move your entire web application UI into an extension and only leave the server as a backend. But I guess that this solution would require too much effort on your side. A simpler solution would be a single-purpose extension that receives a message from your website and sets the tree view.
Interaction between privileged and non-privileged pages describes how this communication could be implemented. Your website would set a property _myTreeView on the <tree> element and dispatch an event on it. The extension would receive the event, verify that event.target.ownerDocument.defaultView.location.host is your intranet website (important, allowing any website to trigger your extension would be a security hole) and then set event.target.view = event.target.wrappedJSObject._myTreeView. See XPCNativeWrapper documentation on why wrappedJSObject is necessary here.
I'm doing an extension now and i have one part of script which is static (will never change) and another part which is loaded from the website. And, i'm seeing 2 ways:
To load it with XMLHttpRequest and inject into web page
To put it as a <script src="example.com/myscript.js"></script> and have it load it itself
But, the second way probably won't have access to my extension API (to functions defined in extension files, i.e. in chrome://myext/script.js)
And, the first way will probably be unsecure because i will have to eval the code in a gBrowser.contentWindow.wrappedJSObject object which is a Window object for the loaded page
Any ideas?
Are you saying that you want the dynamic script to have chrome privileges? If so, why not load it using XMLHttpRequest, save it to disk and then import it as a JavaScript Module (https://developer.mozilla.org/en/JavaScript_code_modules/Using). Obviously there are security considerations since you are giving a script from the web pretty much unlimited privileged, but if you control the script's source then you are presumably okay. If you are really worried you can use HTTPS to download the script, which will protect against someone intercepting the traffic.
If you want the code to run with content privileges but have access to functions in your chrome JavaScript, then maybe you want to expose the chrome functions to content as described in this article: http://weblogs.mozillazine.org/weirdal/archives/017188.html