Logged in on both a website and a Chrome extension - javascript

We have a file sharing service, http://ge.tt, and a few extensions for Chrome. One of them which adds extra capabilities to Gmail.
In this extension we ask users to login to Ge.tt before they are able to use the extension. Since they are already logged in on Ge.tt it would be great that they didn't have to log in again, and it causes some users to misunderstand how it works.
What would be a good way to go around and tackle this problem? Does others have the same issue?

For example Grammarly extension can detect if you are logged in to the grammarly site
They are using this permission (and actually it is enabled on ALL sites, they can read even httpOnly cookies on any site)
N.B. don't know why they are listening for cookies, they could (as pointed by #alex-k ) just make a request to api.grammarly.com/is-authenticated
because I see they don't use same-site=strict or lax
this is a screenshot after I logged out and extension made request to log some action on their site, server set anonymous cookie to my browser

You can simply make an HTTP request from the extension to the user-only page to see if they are logged in. Something like ge.tt/my-profile-ping which returns 1 if user is logged in, 0 otherwise.
Extensions share the same cookies the browser does, so you just need to test if they are logged in and continue displaying logged-in-only data in your extension.
Also, don't forget to enable requests in your extension manifest for domain ge.tt, and www.ge.tt, and probably the https version also (if you haven't already)
Something like this in your manifest.json:
...
"permissions": [ "http://ge.tt/*", "https://ge.tt/*", "http://www.ge.tt/*", "https://www.ge.tt/*" ]
...

Related

Hidden Sign out from all Google accounts in my website

I need to force my users to Sign out from all their Google accounts. I have a link which can do that:
https://www.google.com/accounts/Logout
And also I found a way in javascript how can I trigger this link:
new Image().src = "https://www.google.com/accounts/Logout";
Everything works except incognito mode and Firefox webbrowser.
The result in Web browser console is exactly the same in both situations and also it triggers that endpoint cause I can see entries in Networking which response with status 200, but I am still sign in with accounts.
Do you have any idea what might be wrong? There is no error in console. I do only receive CORS blocked but I don't care about response. I just need to make sure users are logged out before they do next actions in my website.
Do you have any other ideas how can I achieve that?
Thanks in advance

Cookies disappear from a PWA each time a user restarts their phone

I have a web app that uses a cookie as an access token (to let users stay logged in after refreshing/closing the site/app). It works perfectly on desktop but when I try to use it on my Android phone (installing it via Chrome), for some reason it says that I'm not logged in which means it wasn't able to load the access token.
Why is this happening? Is there a difference between how cookies are handled in the browser and when starting a PWA as a standalone?
Also two little side questions, 1, is there a way to debug a PWA that's added to the homescreen (using some sort of remote debugger) and 2, would it be a security risk to use localStorage for storing the access token instead of a cookie? I realize neither is particularly safe but I read that cookies are slightly better for this sort of thing. localStorage works just fine when starting as a standalone

Detecting Advanced privacy settings in IE using Javascript

At the moment I'm using Modernizr to detect if the client is blocking cookies and provide warnings if it's going to prevent them doing something i.e login or add to cart.
https://github.com/Modernizr/Modernizr/blob/master/feature-detects/cookies.js
However I've found that if you use the Advanced privacy settings to block cookies this is not detected so the user doesn't get any warning and the site will appear to be broken.
I can't seem to find anything that suggests any way around this.
The Modernizr test is a purely client-side test. If IE's settings fool that test, it seems like you'll need to set a cookie in your main response, then do an ajax call and see if the cookie went back to the server. If it did, cookies aren't blocked; if it didn't, they are.
This also has the advantage that it's an end-to-end test: It doesn't matter where the cookie was blocked (the browser, a proxy, etc.), it'll tell you whether cookies currently work for that user in that environment with your site.

Chrome extensions can't access localStorage when 3rd party cookies and/or site data is disabled

A user of me extension recently reported that when he blocked 3rd party cookies, it killed our extension as well. I've traced the issue down to localStorage being inaccessible. I have "storage" and "unlimitedStorage" set in the manifest.json permissions. I am looking into switching to chrome.storage.local, but because it's async, I need to rework a fair bit of code.
Does anyone have an easy workaround?
Just thought of a workaround while typing this up and tested it:
setting an Cookie Exception of chrome-exception://* Allow lets my extension access localStorage.
Not perfect, but it'll do for now.

How to get the windows (logged in) username in Firefox using Javascript

I am working on a very old web application(only for intranet usage). In the code, the developer is obtaining the logged in account via this
var wshNetwork = new ActiveXObject("WScript.Network");
document.getElementById('userId').value = wshNetwork.UserName;
This works only in IE. How can I get the logged in account in Firefox/chrome?
I have looked in to other thread (ex: Finding the currently logged in user from a Firefox extension) but that's only for extension.
Are there any other ways to get the domain logged in username in Firefox/Chrome?
No, this is severely security-sensitive information - the main attack vector for compromising your computer. In IE it also only works for trusted websites such as localhost, or with special configuration for the local network - never on internet without additional configuration. Sandboxed JS will never be able to access this information - extensions are considered elevated.
This is something that I would do on server side. Providing you're using IIS, I would set the page to be using only Windows Authentication, read the current user on server side, and send it back to client via hidden field or javascript variable.

Categories

Resources