I work on a web site, using jQuery-1.8 , and found out, a certain extension ( on the CEO-s laptop ) is using jQuery-1.7 as a content script. This content script overwrites my script. Is there a way I can block at least some certain extensions from loading on the chrome tab my web app is using? A meta tag maybe?
No. Unless the said extension is cooperative (that is it looks for the meta tag, or a specific URL, to disconnect itself), you have no way of disabling it.
You might find a way dependent on the extension but you'd need the extension's code to look for it.
In your specific case the problem seems to be that jQuery is overwritten. Can't you simply wrap your code in order to use the specific jQuery you need ?
(function($) {
// here $ is protected :
// it has the value it had when the page was loaded
})($);
This behavior by an extension is not really acceptable, you should contact the extension developers to get it fixed. If they can't be reached, then you should request removal from the Chrome Web Store.
Related
Is there any way to run a user script without running it through Greasemonkey/Tampermonkey?
I know its a simple question but I can't find any information on this...or if it's even possible.
Can the user script be edited so it doesn't rely on Greasemonkey?
It's up to the browser you are using to enable support for running arbitrary javascript on page load.
Chrome has limited userscript support, but is nowhere near as easy or powerful as Tampermonkey.
Tampermonkey and Greasemonkey (and other browser extensions) were created to address the userscript need.
You do have options for running javascript after a page has loaded though. You can use the developer tools console or you can create a Bookmarklet.
On firefox:
You can use the Scriptish addon (an alternative to greasemonkey for automatically running userscripts).
There is the Developer Scratchpad for editing, saving, loading and running scripts (and userscripts) manually. Also, can be applied on either the current document or browser chrome. Accessed via shift-F4 or Developer > Scratchpad.
And then there is also GCLI (Graphical Command Line Interpreter) which you can write routines for via a mozcmd file and is run manually. You'll need to modify the userscript a bit to access window, document objects. Accessed via shift-F2 or Developer > Developer Toolbar.
This one is a bit more involved, but if you want to go the addon route, you can write an addon using the Addon SDK, and use the page-mod API which injects a userscript into a page automatically.
In Google Chrome or Firefox you can open the DevTools (e.g. by right-clicking the page and selecting Inspect) and then paste the code in the Console tab and press Enter to run it.
In Google Chrome DevTools you can also create a js snippet and run it on demand whenever you need it.
You can also use Chrome DevTools Snippets:
Right-click anywhere on the page and select Inspect.
Select the Sources tab — you will see a number of subtabs: Page, Filesystem, Override, Content scripts and finally Snippets (you might need to click >> in order to see it).
Click the plus button ➕ to add the js code, and use right-click > Run to execute the code.
NOTE: If the original script uses extra js libraries (jquery, etc) and the libs are not already preloaded on the page, then you'll need to load them yourself (see this).
Unlike the code you run from the Console, you can set breakpoints in your JS snippets.
Is it possible to detect via JS what extensions / add ons a user has installed on his browser? The use case was the a particular chrome extension, Autofill was setting some text values into hidden zip fields causing some validations to fail and I want to show a message to the user that this extension might create problems.
For Firefox: First snippet of code on: AddonManager.jsm - MDN
Components.utils.import("resource://gre/modules/AddonManager.jsm");
AddonManager.getAllAddons(function(aAddons) {
// Here aAddons is an array of Addon objects
});
// This code will execute before the code inside the callback
Must run this code in privelaged javascript, as in not a tab. You can try for specialPowers though I don't know how that works.
To run privelaged script from your site you will have to create a firefox addon and addEventListener's to your site, like a button to list the addons, you would attach a privelaged function to that.
With the addon you enable/disable addons, but users find that annoying because addons do some obtrsuvie stuff on install sometimes.
For Chrome extensions specifically, only certain extensions are detectable so this is not a very good method, but as far as I know, there are no longer any reliable methods to detect browser extensions.
For the extension that you want to detect, you would need its Extension Id and its Web accessible resource.
Some extensions have web accessible resources and some do not. If there is no web accessible resource, you will not be able to detect that extension.
To find the web accessible resource, you will need to look at the extensions chrome.manifestfile. It will tell you if there is web accessible content. For example, the chrome.manifest file might say:
content web-developer content/web-developer/ contentaccessible=yes
Generally, its not very effective to look for browser extensions since you have to know which extensions you want to detect ahead of time and many times they are undetectable.
Also, here's a good link that I used when I was trying to do the same thing here
NavigatorPlugins.mimeTypes
Take a peek at the MDN page
https://developer.mozilla.org/en-US/docs/Web/API/NavigatorPlugins.mimeTypes?redirectlocale=en-US&redirectslug=Web%2FAPI%2FNavigator.mimeTypes
Hope it helps
In JavaScript check to see if the zip field has been changed while it is hidden and show a warning to the user that an extension might be causing issues.
For Firefox you can do it with Mochitest/SpecialPowersAPI
https://developer.mozilla.org/en-US/docs/SpecialPowers
I found the some strange <script/> tags on a site:
<script src="chrome-extension://lifbcibllhkdhoafpjfnlhfpfgnpldfl/document_iterator.js"></script>
<script src="chrome-extension://lifbcibllhkdhoafpjfnlhfpfgnpldfl/find_proxy.js"></script>
...
I haven't been able to find much information on this, but I highly doubt this is actually related to Google Chrome since this site in particular is still using <table>s for layout, and the source in question was retrieved with curl not a graphical web browser.
So,
What on earth is this?
What is chrome-extension://
Why is it using lifbcibllhkdhoafpjfnlhfpfgnpldfl as a directory name
Why is it pretending to be valid URL to a javascript file?
Why would I need find_proxy or document_iterator
Solved. As far as I know...
chrixian was right, It seems that only on this and a few select other pages, someone had re-saved them from Chrome's source-view with the Skype extension installed.
Thanks everyone for all your help, +1's for all! enjoy!
That is actually Skype Click to Call chrome extension.
Manage and view it using this link
chrome://extensions/?id=lifbcibllhkdhoafpjfnlhfpfgnpldfl
If you are using cURL to get the page, you're getting the HTML as it exists on the server--so I think a safe assumption would be: the author of the page initially saved the page from Chrome, he had an extension installed that inserted these script tages and lastly he didn't remove the script tags for one reason or another before putting the page on the server.
This is added by chrome as the page loads, to inject the extension's Javascript code into the page, so it can access the HTML document.
The Skype extension causes it by inserting all kinds of junk in webpages that you visit.
Do you have the Skype browser extension installed for Chrome?
Just disable the extension.
Chrome, like Firefox, provides developers with an easy API to extend the functionality of the web browser without needing to actually download and build the browser to do so.
They also provide a robust delivery system. In Google's case, it's the Google Chrome Web Store.
Extensions are installed locally on your computer, and use long strings as directory names to reduce the risk of collisions with another extension. In other words, if you and I both named our extensions "mycoolextension", then there would be a problem if a person tried to install your extension and my extension. The long string helps prevent collisions such as this.
The chrome-extension:// protocol is used by the browser to make requests to these local resources. Chrome extensions are developed using HTML5, JavaScript, and CSS, along with an API exposed to allow the local JavaScript to perform actions it would not normally be able to do on the Internet.
When you see these in the Chrome developer tools, it's just the extension doing it's thing, whatever that may be.
If you're seeing these, then you likely installed some extensions from the Chrome Web Store. To view them, go to the Tools menu and select "Extensions". This will show you a list of all installed Chrome extensions and apps.
To learn more about extension development, see the Getting Started Tutorial.
Also, as someone else mentioned, you're using the Skype Call Extension. However, an app using that directory name doesn't appear in the first page of the search results. It might be worth doing some more research to make sure you got that extension from a legitimate source, whether that be Skype or the Chrome Web Store.
If you're seeing it in Chrome developer tools for every request you make, it means it has access to all your websites, which could be benign, like if they're just making phone numbers clickable, or it could be malicious, if it's scraping your bank account info and shipping it off to some third party server. :)
It's a Chrome extension, and chrome-extension:// is a URL for extensions to address their contents via Javascript.
lifbcibllhkdhoafpjfnlhfpfgnpldfl is the unique identifier for the extension. I can't find it with a search, but apparently it might be Skype.
It's not pretending... it is a valid URL. The Javascript file is located in the extension. If you were to look on your harddrive you'd probably find that very file in the extensions folder.
The functions its calling probably are some sort of detection used by the extension to see if it needs to enable itself.
See this for some additional information:
Checking if user has a certain extension installed
Using Chrome Web Store inline installation ( https://developers.google.com/chrome/web-store/docs/inline_installation ) it is possible to specify a callback for chrome.webstore.install() that will be executed when the extension is successfully installed.
Through some very tedious debugging I've learned that extensions are not neccessarily 100% installed when the callback is executed - maybe the background hasn't been loaded or content scripts aren't yet available.
In my particular case the problem presents itself in this way:
User clicks install button with chrome.webstore.install() bound to onclick event.
Success callback injects an iFrame.
Content script is defined for the iFrame and injected to do some finishing work
Content script returns with a completed installation dialog.
Step 3 is the problem. Some times the iFrame will be injected before content script is fully loaded and thus no script will be injected (content scripts are only injected inside newly created iFrames, not iFrames already existing when the extension is installed/enabled).
I know there are possible workarounds such as having the extension itself inject the iFrame or a simple setTimeout(), but for the sake of helping others I think it's worth asking the question:
How can I be certain that the extension is 100% installed, when the chrome.webstore.install() callback doesn't ensure it?
Using the famous <img> load method described in Checking if user has a certain extension installed doesn't work reliably (for those thinking that'd be a solution).
This is the way to do it :
http://code.google.com/chrome/extensions/extension.html#global-events
As mentioned in the last link below , you should be able to do :
var myPort=chrome.extension.connect('yourextensionid_qwerqweroijwefoijwef', some_object_to_send_on_connect);
You can also check Checking if an item is already installed section in the next link :
https://developers.google.com/chrome/web-store/docs/inline_installation
or you can follow what have been done in this post:
Check whether user has a Chrome extension installed
I also saw solutions talking about background page and localstorage:
http://developer.chrome.com/extensions/background_pages.html
Chrome extension post-install hook/API function: does it exist?
You sure your content script's work needs to be done from the same page where the user installed the extension? If not, simply have your extension call chrome.tabs.update or chrome.tabs.create (two of the few tabs methods that don't require the tabs permission) to open a page where your content script can be injected.
Otherwise, your extension can use programmatic injection to inject a content script which can communicate with your page. You can use chrome.tabs.query to make sure you're injecting into the correct tab.
I would like a javascript to run after a page is loaded , like on the example below with a delay of 6seconds. Right after the page loads the rest of JS is lost (obvious)...
Got any ideea how change content after page is loaded without clicking a button?
javascript:window.location = "http://example.com";
setTimeout(function() {
document.getElementById('lightbox').style.display = 'none';
}, 6000);
Once you set window.location the original page will be unloaded before the new page is loaded by the browser. This means your script will be gone before the new page start loading and thus can't modify the new HTML anymore.
This behavior is inherent to the security model of the browser. Without it you could inject any JavaScript into any web site of your choosing, which would be a huge security risk. What you are asking for is so-called XSS (for cross site scripting), which is prevented by the browser applying a so-called SOP (for same-original policy).
There are some common ways to work around this limitation in a safe way:
Set up a proxy to serve both your JavaScript and the original site. This way both your script and the original site come from the same domain and satisfy the browser's same-original policy (SOP). You could run the original site in an iframe with your custom script occupying the top-level window. Alternatively you could inject your script into the HTML as it is being retrieved through your proxy.
Run your script as a browser add-on or user-script. If you choose to do this, the user will have to specifically grant your script the rights to run locally with elevated rights. Greasemonkey popularized client-side scripts for Firefox a few years ago, but recently they seem to have lost momentum.
Ask the site owner to include your script. I doubt this is a valid option for your situation. But if it is a valid option it is definitely the simplest one.
Ask the user to run your script after the site has loaded. This one is probably also not valid for you, but if valid it would once again be a very simple solution.
Your example shows that you are first redirecting and then attempting to hide #lightbox. This script would not work, because you are redirecting the browser to another site before #lightbox gets hidden.
In short, you cannot have Javascript of a previous page manipulate DOM of the next page if you redirect the user to another URL (or even the same URL). Only Javascript that is 'on currently open page' can manipulate currently open page and no other pages.
I have not understood what you are saying. JS is lost? Please be more clear.
I think what you are talking about is the jquery ready function which runs after the DOM is ready. Or in the other case, try using window.onload() function.
This should do the job:
$(window).bind('load', function() {
// your code here
});
Then simply add the delay to your added code with .delay("6000");
The inserted code will only run when your page is completely loaded.