I am building a Chrome extension for a client that utilizes the Google OAuth2. The extension is highly customized for his company and is meant to be used internally and for security reasons I am supposed to just send him the .crx file, so no Chrome Web store or hosting or similar.
I have registered the extension on Google Dev Console and hard coded the received client ID and API key for OAuth access into the app. As such, naturally, the extension works properly in the development. However, when I sent the packaged .crx file to the client and he installed it in his Chrome he receives the following error:
That’s an error.
Error: origin_mismatch
A native application: HipLead Extension
You can email the developer of this application at:
jovandamjanovic#gmail.com
Request Details proxy=oauth2relay755552705 immediate=false
scope=https://www.google.com/m8/feeds
origin=chrome-extension://hajhlcbhmjjihnbjhjabojkmonelialo
response_type=token redirect_uri=postmessage
state=515453249|0.4168528853
client_id=898271548842-dhmt34v9rnu3mvbc0sgvobunnjj3qciv.apps.googleusercontent.com
include_granted_scopes=true That’s all we know.
I understand that this is the error originating from the fact that, when he installs the extension on his end, his local copy has a different id. Registering that id in the console also wouldn't work as that would require me to insert the new client id into the hard code and then repackage the ext, sending it to him, which would generate a third yet id etc not solving anything. I cannot use the web store or online servers and I would like to avoid making a 'configuration' pane in the extension for him to enter the client id if I can. Is there a way to predict the id and hard code it before packaging and sending the finished extension?
Installing an extension via a CRX file by simply dragging it to Extensions page is not supported anymore: [1] [2], at least on Windows and OS X.
There are two methods left, unpacked install and enterprise install.
Unpacked install means just extracting the extension to a folder and then loading it as you would for development. Then, indeed, the ID would change; but there is a way to pin it down by providing a "key" field in the manifest. See more details in this FAQ entry.
In a serious enterprise environment though, such a method is quite unacceptable. The "golden standard" method is Enterprise Policy install. This will allow keeping the CRX file on some internal server and auto-update from there. Your client needs to seriously consider this plan.
Related
i've created electron app that will asking for authorization to my google drive account. my application is very simple, it will display the list of files from my google drive account. Here's the link
To get the authorization key, manually i have to click authorize button from my electron app, then it will open new tab in my default browser. i need to give the permission to accessing my google drive data. Then google drive will provide the authorization key to me then i can get and enter the key to my app.
How do I run the above scenario automatically?
You really don't want this to be the default flow for your users' code so I am assuming you are asking for test automation so you can test this works. You would basically:
Install the chromedriver package.
You would create a script that downloads and launches chromedriver then use something like webdriver.io to launch a Chrome session.
In the session, you would configure the user data directory to the user's real directory. You can find the locations in different operating systems here.
You now have a fully automated Chrome with the user's data.
Now, you use electron to request permissions, which will open a tab on the browser with an active selenium session.
Call browser.click('...') on whatever element you want in the page to accept the request.
I want to make it very clear this is only acceptable and will work when testing. "In the wild" controlling the user's browser without explicit permission through a third-party executable is a sure-fire way to get flagged by every anti-malware product in the market and liable for data breaches.
This has been a bit hard to find, given Chrome has changed its API a lot so have found outdated suggestions. And what's not outdated is from the POV of writing an extension
Our js app is having trouble when some users have a specific chrome Extension installed. We want to warn users of potential issues if it sees that extension is present in the users browser.
This extension loads a single content-script and runs in the background. It doesn't have an open connection, exposure variables to the clients window or anything advanced.
Is there a way the client can ping or check for this script?
For instance, I tried using fetch of the chrome-extension:// manifest - same via a script tag loading the extensions main.js but those don't work, chrome complaining it can't load the asset (presumably a permissions issue)
Is it even possible?
To Support our WEB Page, We will give some setup(exe) to be installed in client machine. While installing Our SETUP, we will set/Create some registry key and values. Whenever Our Web page loads on that machine, we have to verify whether particular setup installed or not. How can i do with Vb/C#
Unless you can use an antiquated version of IE and its ActiveXObject, you can't read the registry from client-side web page code in a browser. Imagine the security concerns if you could.
This is a pretty general question with a couple examples. I'm fairly new to writing chrome extensions and I seem to keep running into cases that are impossible to test without deploying to the webstore (which takes ~60m each time). This is an impossible workflow. Am I missing something?
Case 1 inline installation
Trying to set up inline installation from my site to a chrome extension. When I run the site locally i get the following.
Error downloading extension: Inline installs can only be initiated for Chrome Web Store items that have one or more verified sites.
But I cannot seem to add localhost website property in chrome's developer dashboard. What is the recommended way to do this in a dev environment. I tried using local.mywebsite.com and adding a local alias for localhost, but now chrome cannot find the verification file you are required to serve...
Case 2 Chrome Extension OAuth
Attempting to use chrome.identity.launchWebAuthFlow to setup user credentials in my extension for my website, but of course the callback url provided https://<ext-id>.chromium.org/provider-cb does not redirect to my local deploy of the extension.
Is there no way to test these things??
Regarding your error "Inline installs can only be initiated for Chrome Web Store items that have one or more verified sites.", you may follow the instructions given in this page.
You need to:
Go to the Webmaster Tools.
Add the site to your sites.
Obtain and embed a verification code into your site.
Complete verification in Webmaster Tools.
Go to your Developer Dashboard (must be under the same Google account) and edit your Web Store item.
Select your site in "Verify that this is an official item for a website you own:"
Here are some references which might help in testing extensions:
Testing browser extensions
How to test chrome extensions?
I am about to finish my Google Chrome extension. If I'm not mistaking all Chrome apps come with a capability of auto-updating. If so, is there a way for me to test it before I submit my app to the Chrome Web Store?
PS. Also do I need to account for any special conditions in my extension?
To test the updating procedure, it's best to submit your extension to the Web Store in a non-public fashion.
As you publish an item, you have a choice of Public, Unlisted, and Trusted Testers publication.
Public means that the extension will be searchable and everyone can install
Unlisted means everyone can install, but they need the direct link to the extension listing; it will not be searchable in the Web Store and not indexable by search engines.
Trusted Testers is the same as above, but also restricts installs to a whitelist of Google Accounts.
Go with any non-Public option and you can test it as it would actually behave (including the unfortunate delay of automatic review checks).
The method described by kadaj is no longer valid for Windows, as Chrome will reject any CRX not hosted by the Web Store.
But previously, yes, you could test this with setting up your own hosting (i.e. Dropbox Public folder) of the CRX and its associated update XML, as described in the guide. This still works for non-Windows platforms, as well as Dev/Canary builds on Windows.
All you need is to increment version number in your manifest file and the chrome app will automatically update itself. If you want to test this you can host your own extension and specify a update_url. Follow the guide at https://developer.chrome.com/extensions/autoupdate