I was wondering if there is a command or something that gives access to Chrome's downloads location. I mean this frame on Settings.
From a webpage? Hell no. Lots of security and fingerprinting issues could arise from that very easily.
From an extension, doesn't look like it. Feel free to check through the docs yourself, but I didn't see it under any category I thought it might be under.
Related
I'm investigating something and it led me to a website online.
I haven't yet visited the website because I have reason to believe that it may have malicious content.
I know that in Google Chrome, you can view the source code of a webpage by pressing Ctrl-U. Unfortunately, that requires having visited the page.
Then I discovered that you can get the source code of a webpage without visiting it by adding view-source: before the https:// part of the URL.
So I can view Wikipedia's home page source code with view-source:https://www.wikipedia.org.
I want to do the same with the potentially malicious website but I don't want anything to happen to my computer. The only person I could consult regarding the website said that it "tracks the hell out of your computer". While whomever they heard that from does have a background in network engineering, they themselves don't, so I don't have any detailed information about it.
I know that basically all websites "track" you, i.e., gather information about your computer, such as its IP address, window resolution, user login, etc. by installing cookies on the user's computer to be requested later upon the next visit, but I don't know much about how far those abilities can extend.
I also found out from somewhere (I may be wrong) that there is a difference between "view page source" and "inspect page source" because the first one gives you the raw source code before any JavaScript is applied and the second one is available once you're on the site and any applicable JavaScript has already been applied and you can see its results.
Based on that, I'm assuming that it's perfectly safe to use the view-source: technique if I don't care about the results of the scripts on the page.
So essentially, I need to know these things:
Is it really perfectly safe to use view-source:? I'm assuming not, so I'd like to know exactly what risks I'm taking and what risks I'm avoiding by doing this. EDIT: Forgot to mention. Does the website know that I'm viewing its source code, and does it by that fact know that my IP address requested its source code?
Assuming I can read the JavaScript scripts, can I get a general sense of what the scripts do by reading what I get from view-source: alone, or can a webpage access scripts from other webpages without them explicitly being written on that page? (I'm assuming they can do that since I see hyperlinks on other websites ending in .js that I can click on revealing more JavaScript scripts) Note: I don't really care what the content of the webpage is in terms of what an ordinary user sees, since my investigation already knows and/or doesn't care about what is on it, I just care about what the webpage does in terms of tracking users.
What can "tracking the hell out of your computer" entail exactly? In other words, what are some worst-case scenarios? No scenario is too outlandish; part of my investigation is to learn about this kind of stuff since it will help us down the line.
The general answer is to just disable javascript and cookies in your browser first.
Generally yes it's ok to view source, especially if javscript is disabled prior.
You can if their scripts are readable, many sites however will minimize the code, which is generally not very readable.
If javascript is disabled it's likely that their tracking would not work or at best be incomplete.
I ignore the "how to ask" topic from above for now to answer your question.
What I am not sure whether Stack Overflow is the right site for it in Stack Exchange.
The question is basically what threats you suspect from your "potentially malicious page".
If your concerns are mainly about privacy, it might be OK to take the risk.
Sometimes I even just use "incognito mode", despite I know about it flaws, if the threat I suspect is limited.
If your concern is that the page code might try to elevate privileges out of the sandbox using security issues in the browser or more, you would basically trust the security implementation of the same software, which the page is trying to "hack in".
For the latter I at least use a read-only VM with minimal software and network access or, when it is about a serious threat, e.g. a ransomware, really an old notebook, which gets installed before and wiped after or even the hard-disk destroyed afterwards.
And even with the latter, I am taking the risk, that something might have modified the BIOS.
Well let's say you have a virus that you designed yourself on your computer using JavaScript. If you save the source code of the virus as a .js file on your device, your device will not be harmed because it has not become a virus yet, or in other words, it has not been run. Now let's consider that you have browsed a malicious site, but you do not realize that since you visited the site and the browser has turned on the source code of the site, i.e. The browser has edited the virus or ran it, but if you view the source code of the site via view-source: the virus will not run even if it exists because the browser has not translated the site yet, meaning that it is practically still closed and you have never visited it only you It shows the source code of the site and does not go to the site, it's like an apk file that has not been installed yet. I get my point
I have a web site made by Python Django.
And I want to check if a visitor's chrome browser's chrome extension is installed.
I found some information, it looks possible with Javascript.
https://www.python2.net/questions-993829.htm
https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/management/getAll
They say you can get all installed chrome extensions by writing it like this.
chrome.management.getAll() or brower.management.getAll()
But When I tried that "chrome.management" is not defined.
Is it need to add library to use chrome.management?
I read the API documents, But I didn't know How can I to do.
Please teach me if you know about this. Thank you.
From the looks of chromes docs (https://developer.chrome.com/docs/extensions/reference/management/), it seems that chrome.management is only able to be used in chrome extensions with the management permission. There doesn't seem to be any real alternative for websites. (Although if you own the extension you might be able to create a hidden div with a specific id, then the website could detect that).
If chrome did allow websites to see this it would also make fingerprinting much easier.
I am fairly interested in my website visitor's Chrome extensions, and what they do
( outgoing network communication, file saving, storage, etc. )
Is there any possibility to detect these?
No.
That would be a nasty invasion of privacy.
The closest you could come to detecting an extension would be to examine the DOM and JS environment of your page and see if the browser modified it in ways you didn't expect … but that would be a massively broad problem to solve, so you could only practically do it to look for very specific effects (which is what ad-blocker-blockers do).
For some specific extensions only, you can detect them by trying to load resources from them. This will be testing for specific extensions, and not discovering a list.
This requires you to know the extension ID, path to resource, and the resource has to be in web_accessible_resources. As the name suggests, that makes some files accessible from the web context, so you can try to load them. A network error would signify it's not installed (or no longer has that resource in web-accessible).
Again, that requires you to know the extension you're going to test for in advance, and extensions without web-accessible resources are invisible to this technique.
Notes:
Google Cast library uses this technique to probe if its own extension is installed.
If it's not, it generates a nasty error in the JS console for the failed network transfer, an error that you cannot silence from JS code — which was enough of an annoying problem that Chrome eventually added a blacklist for those console messages just so it isn't an eyesore.
From that, you can deduce it's probably not a good idea to test for a long list of extensions. It will pollute your console with errors. For cooperating extensions on pre-defined domains, there's a better way to test that it's installed. But that's not your case.
I couldn't find this in the linked questions above.
I have written a JS Web app that uses Google Maps. I'm getting reports from India that the browser location isn't being found on the mobile version of the app, and I need to be able to debug it (I live in New York).
It works fine in the NY installation, so I need to test on the Indian installation.
The problem is that I need my browser to report a local long/lat, so I can trigger that JS code path.
Is there a way to get my browser to spoof a long/lat?
This is the only thing I've found. It looks fiendishly complex, rather delicate, and I'm not sure it would work for my application.
Is there a more straightforward way for me to do something like supply a GPX file (like I do for Xcode) to spoof a location?
I am using a Mac, and can use pretty much any browser to do this.
Thanks!
OK. I figured out how to do this in Chrome.
It is almost the same as this (The solution I mentioned in the question).
However, Google seems to have moved things around. You no longer have the "Emulation" tab. What you have is a "Sensors" tab that appears in the second Developer panel:
In here, you can play with it.
Sometimes while browsing websites using Chrome, you can see a yellow prompt showup. How can I trigger that prompt for my own websites?
For example try going to the The Independent's website and you will be prompted "The Independent now has a Google Chrome Extension. Get the latest news on the topics you like, direct to your browser."
I have previously seen this prompt on Google.com as well, however I assumed that that was something internal for google only websites. This is the first time I have seen the prompt for Non-Google owned websites.
It's a custom look-a-like they've made. Take a look at their javascript file here: http://www.independent.co.uk/independent.co.uk/editorial/javascript/tb.js
It does most of the work. You might be able to get some ideas from there :)
I assume you need to check this question: Chrome - Notify User to install your extension
Looks like there are no standard API for defining extension available for particular site – so you need to imitate such behavior with JS.
If I made a mistake, feel free to correct me in comments.
You are looking for the Infobars API, but this feature is only available for extensions.