U2F support without the U2F Chrome extension - javascript

I've started fiddling around with U2F and it's looking really promising. Got myself some security keys and started digging into it.
I've managed to create a working register/login demo website which works well using the U2F tokens and the U2F Chrome extension.
However... and this is where my question arises:
I've also enrolled a security key for my Google account and immediately got struck by the fact that it works without using the U2F Chrome extension. As a matter of fact I've done all the Google enrollment and logins without even having the extension installed. How is this possible? I've read (some of) the FIDO specifications and saw that there may be two API levels: high - which is the u2f namespace exposed by the extension and - and low - which involves using MessagePort API. Maybe this is how Google does it? (also tried doing a chrome.runtime.connect(...) myself, but the chrome.runtime object is undefined in my web page)
Any pointer in the proper direction would be appreciated and of great value at this moment, as there aren't many resources available on this young project called U2F.

Chrome is white listing Google domains. Non-Google domains has to use the extension for now. However, this will change "very soon" according to Google -- this is documented here and mentioned by a Google developer in this webinar.
Edit: The extension is no longer required with Chrome 41. You can test it out here (Note: When accessed from and older version of Chrome, or not via HTTPS, the site will fall back to using the extension).

Related

How can I open developer tools with JavaScript? [duplicate]

I'm looking for a way to open the WebKit “developer tools” from a script attached to a web-page. I need solutions for both Google Chrome and Safari, that will open the developer-tools pane if it's not already open, and (hopefully, if you can figure out how) also switch to a particular tab/section of said pane upon opening.
(Use-case, if anyone's interested: I want to open the console.log output-window if there's been an error and a developer is looking at the page; this particular page will be the output of some JavaScript unit-tests.)
I'm setting a bounty on this question because it's obviously one that hasn't been answered to anyone's satisfaction before, and the answer is a hairy one. Please don't answer it unless you have a real answer that both: 1) works in both browsers, and 2) doesn't require private extension APIs that won't work from a static web-page.
See (related, but specific to Chrome, and extensions): Can I programmatically open the devtools from a Google Chrome extension?
Simply: You can't.
The Dev Tools are not sandboxed (unlike any web page), thus granting sandboxed environments the power to open and control an unsandboxed environment is a major security design flaw.
I hope this answers your question :-)
You cannot directly use the Chrome's Dev Tools from your web pages. It is bundled with the browser.
But you can use it like a regular web application. Go to Chrome Developer Tools, then go to Contributing. You will find help on using Dev Tools for your app.
Setting up
Install Chrome Canary on Mac OS / Windows or download the latest Chromium build from the Chromium continuous builds archive on Linux
Clone Blink git repo from https://chromium.googlesource.com/chromium/blink.git
Set up a local web server that would serve files from WebKit/Source/WebCore/inspector on some port (8090)
Running
Run one copy of Chrome Canary with the following command line flags: --remote-debugging-port=9222 --user-data-dir=blink/chromeServerProfile --remote-debugging-frontend="http://localhost:8090/front_end/inspector.html". These flags cause Chrome to allow websocket connections into localhost:9222 and to serve the front-end UI from your local git repo. (Adjust the path to chromeServerProfile to be some writable directory in your system).
Open a sample page (eg www.chromium.org).
Run a second copy of Chrome Canary with the command line flag: --user-data-dir=/work/chromeClientProfile. Open http://localhost:9222. Among the thumbnails you will see the sample page from the other browser instance. Click on it to start remote debugging your sample page.
The DevTools web page that opens is served from the remote-debugging-frontend in the first browser instance, which serves from the git repo your local filesystem. Debug this Devtools Web page and edit its source like any other web app.
I hope this is what you need.
There's no way to control the web developer tool from an in-page script, other than through the Console API which provides mostly logging facilities. Letting scripts control more than that would be a serious security issue, since it would allow a web page to control parts of the browser.
The only API remotely related to what you're trying to do is the debugger command, which switches to the script pane only if the developer tools were already open.
But who are you trying to develop this feature for?
If it's for developers working on the site, then it's better to just use the existing developer tools manually, by setting breakpoints, or the pause on exceptions toggle.
If it's for end users, don't. Unless your site is supposed to be used by highly technical web developers, you're only going to scare away users if the developer tools suddenly pop up with errors.
If you really want to show errors you can implement your own logging framework and the UI for error reporting, which works with basic JS and doesn't depend on a specific browser environment.
here's another answer that proposes a solution to your mentioned use case/objective (detecting errors, getting & displaying console logs) and not the not possible objective in the title.
you can make and use a console wrapper and use it in your code
and/or you can monkey patch the console functions if you use/import external js, but you need to apply it before loading them.
No, Any secure Browser will not allow a script to open an extension, as it leads to insecurity.
But, You may design an Add-On/extension OR Console API's to do the same.. for specific site.
Create an Add-On like this to achieve that requirement.
You can try sending keys 'CTRL' + SHIFT' + 'I'
that may work for Chrome any FireFox (in I.E you need to use 'F12'
I am using it when required as few utils in this add-on use to work better then the built-in.
EDIT:
Now a days Chrome is advanced with many new advancements source.
I hope this helps!
Hate to answer such an old question, but was surprised to not see this as an answer, so I thought I'd add it in case it can help someone in the future.
Assuming you have access to the source code, you can place an alert("open devtools"); statement immediately before the first line you're interested in debugging. This alert will give you an opportunity to open DevTools and set a breakpoint on that first line before clearing the alert thus allowing the code to continue and hitting the breakpoint.

<a href="fb//"> open post/video Link in native App? [duplicate]

Some dev blogs have published information about the "fb://" url scheme for opening various views in the Facebook iPhone App. No matter how much I've searched, I haven't found one word from any official Facebook source about this.
Since the information is public anyways, I'm sure I'm not the only one who'd like to know, whether using this url scheme is officially approved, am I allowed to use it, does it work correctly, and if it's not approved, will it be and what's the approximate schedule for that?
Thanks in advance for any info on this subject!
It's there to support the iOS push notification system (i.e. you get a push notification that says "Friend's Name tagged you in a photo", and you tap on it, it takes you straight to the photo).
I'd assume it's not intended for third party use and therefore subject to change. Hell, Facebook's public-facing APIs are subject to change on a whim anyhow, so I'd be especially cautious about something they hadn't documented.
It's for iOS only. The iOS API lets you define you own URL scheme, so Facebook must have developed their application to register the fb:// URL scheme on iOS devices. It's not a feature that was created by Apple, it's something you, the developer, can make up.
Here are some resources you can investigate
The Facebook iOS SDK
Here on StackOverflow
A tutorial on how it works (not Facebook-specific)
You can use it from your own applications on iOS, but only if the Facebook application is installed. There are, however, plugins and browser extensions out there that mimic the behavior by handling the fb:// schema on your desktop browser.

Google Chrome Extension: access padlock/certificate info

Okay, a bit of an odd question here, but I'm doing a research project about what influences people to make trust decisions when they look at a website, and without going into all the back story here, I am developing a browser plugin for Google Chrome that identifies the elements that people look for the most in a web page and tries to give a trust rating for that page. One major bit of information is the security certificate and that nice green padlock you see in the omnibox.
I am new to Chrome extension programming and I've searched the Javascript Chrome APIs here: https://developer.chrome.com/extensions/api_index, but the omnibox seemed to only allow you to enter search terms. If it isn't possible, are there any alternative ways to see if Chrome trusts the certificate of the current page?
Question: Is there any API for getting info about the state of the padlock icon in the omnibox so that my application can know the state of that padlock icon?

Open Safari / Google Chrome developer tools programmatically from JavaScript

I'm looking for a way to open the WebKit “developer tools” from a script attached to a web-page. I need solutions for both Google Chrome and Safari, that will open the developer-tools pane if it's not already open, and (hopefully, if you can figure out how) also switch to a particular tab/section of said pane upon opening.
(Use-case, if anyone's interested: I want to open the console.log output-window if there's been an error and a developer is looking at the page; this particular page will be the output of some JavaScript unit-tests.)
I'm setting a bounty on this question because it's obviously one that hasn't been answered to anyone's satisfaction before, and the answer is a hairy one. Please don't answer it unless you have a real answer that both: 1) works in both browsers, and 2) doesn't require private extension APIs that won't work from a static web-page.
See (related, but specific to Chrome, and extensions): Can I programmatically open the devtools from a Google Chrome extension?
Simply: You can't.
The Dev Tools are not sandboxed (unlike any web page), thus granting sandboxed environments the power to open and control an unsandboxed environment is a major security design flaw.
I hope this answers your question :-)
You cannot directly use the Chrome's Dev Tools from your web pages. It is bundled with the browser.
But you can use it like a regular web application. Go to Chrome Developer Tools, then go to Contributing. You will find help on using Dev Tools for your app.
Setting up
Install Chrome Canary on Mac OS / Windows or download the latest Chromium build from the Chromium continuous builds archive on Linux
Clone Blink git repo from https://chromium.googlesource.com/chromium/blink.git
Set up a local web server that would serve files from WebKit/Source/WebCore/inspector on some port (8090)
Running
Run one copy of Chrome Canary with the following command line flags: --remote-debugging-port=9222 --user-data-dir=blink/chromeServerProfile --remote-debugging-frontend="http://localhost:8090/front_end/inspector.html". These flags cause Chrome to allow websocket connections into localhost:9222 and to serve the front-end UI from your local git repo. (Adjust the path to chromeServerProfile to be some writable directory in your system).
Open a sample page (eg www.chromium.org).
Run a second copy of Chrome Canary with the command line flag: --user-data-dir=/work/chromeClientProfile. Open http://localhost:9222. Among the thumbnails you will see the sample page from the other browser instance. Click on it to start remote debugging your sample page.
The DevTools web page that opens is served from the remote-debugging-frontend in the first browser instance, which serves from the git repo your local filesystem. Debug this Devtools Web page and edit its source like any other web app.
I hope this is what you need.
There's no way to control the web developer tool from an in-page script, other than through the Console API which provides mostly logging facilities. Letting scripts control more than that would be a serious security issue, since it would allow a web page to control parts of the browser.
The only API remotely related to what you're trying to do is the debugger command, which switches to the script pane only if the developer tools were already open.
But who are you trying to develop this feature for?
If it's for developers working on the site, then it's better to just use the existing developer tools manually, by setting breakpoints, or the pause on exceptions toggle.
If it's for end users, don't. Unless your site is supposed to be used by highly technical web developers, you're only going to scare away users if the developer tools suddenly pop up with errors.
If you really want to show errors you can implement your own logging framework and the UI for error reporting, which works with basic JS and doesn't depend on a specific browser environment.
here's another answer that proposes a solution to your mentioned use case/objective (detecting errors, getting & displaying console logs) and not the not possible objective in the title.
you can make and use a console wrapper and use it in your code
and/or you can monkey patch the console functions if you use/import external js, but you need to apply it before loading them.
No, Any secure Browser will not allow a script to open an extension, as it leads to insecurity.
But, You may design an Add-On/extension OR Console API's to do the same.. for specific site.
Create an Add-On like this to achieve that requirement.
You can try sending keys 'CTRL' + SHIFT' + 'I'
that may work for Chrome any FireFox (in I.E you need to use 'F12'
I am using it when required as few utils in this add-on use to work better then the built-in.
EDIT:
Now a days Chrome is advanced with many new advancements source.
I hope this helps!
Hate to answer such an old question, but was surprised to not see this as an answer, so I thought I'd add it in case it can help someone in the future.
Assuming you have access to the source code, you can place an alert("open devtools"); statement immediately before the first line you're interested in debugging. This alert will give you an opportunity to open DevTools and set a breakpoint on that first line before clearing the alert thus allowing the code to continue and hitting the breakpoint.

Will a chrome extension specified for a website running when I'm not visiting that site?

Suppose there is an extension for Google+, so when I'm visiting plus.google.com, it's running, but what happens if I close Google+ tab? Is it still running and consume my computer resource?
PS: I ask this because I'm wondering that if this is the truth, I can write an extension that enable or disable other extensions according to the website that I'm visiting, so maybe my Chrome would be faster
It depends.
The author of a Chrome extension can tell Chrome that the extension should only be active on particular websites. However, no matter the website you are visiting, the extension will always be running. To observe this phenomenon for yourself, hit Shift+Esc to display the task manager. Note the extension processes. You can see by trial and error that if Chrome is running, all of your enabled [background] extensions are also running.
The benefit of the Chrome extension developer specifying particular websites is that, even though the extension is always running, it will not receive event notifications for websites that don't apply to it - basically, it will be sleeping. So the effect is appreciable.
For more information about Chrome extension configuration options, see the Chrome extension manifest documentation here.
Edit: Please see Serg's answer re: modifying other extensions.
There are two types of extensions from resource consumption point of view - those that have a background page and those that don't. Permission warnings you see in the gallery don't give you any indication what kind of extension it is.
Extensions without a background page are consuming resources only (well, probably mostly) when used. Those with - consume memory always, plus might consume CPU depending on what they are doing there.
You can very easily write extension that disables all others with management api and the benefit from it will be noticeable on performance (I wrote one for myself actually).

Categories

Resources