I am developing a Chrome extension that absolutely always needs to run with the newest code.
Now, this is a problem that I am not quite sure how to solve while not going for eval() alike functionality.
I designed it to fetch the newest script from server over HTTPS, then execute it using new Function()
It's absolutely most important to have extension run using newest code for every user and updates managed by Google don't solve that problem cause they are usually delayed or require user to update it manually.
CSP only allows for scripts executed from domain specified by me, but I am also using unsafe-eval although I can encode these scripts using hash for more security.
Scripts require access to page DOM and chrome.* API. I can't just specify them as script src in popup, because that's not the point.
Are there better solutions to this problem?
I am new to chrome extension, I want to add a button to Gmail compose bar like this. I tried some of Gmail API to achieve but couldn't find my solution.
If anyone has the idea what will be the approach
You should take a look at gmail-js npm package. It provides a lot of interface to communicate with the Gmail App for your chrome extension. I am currently working on a chrome extension myself that is supposed to work with the Gmail app, and it has made my life so much easier.
Look at the gmail.tools.add_toolbar_button function in the documentation for this particular case.
There are a few things that you need to be careful of though. For example, you can not use the apis this package provides in your content script, you'll have to inject it to the page DOM. The brolierplate example is very helpful to get you started.
Also, the communication between the injected file and content_script can not be done using chrome.runtime API, you will have to use window.postMessage API for that.
Good luck.
I have created a google developers account. I have created a project in there. I have enabled the JavaScript maps API for the project, and I have created a browser key for it, and I have limited the usage of it to the domain of my web site that people will be viewing. When I go to do an autocomplete call on a form field in my page, I get the following error back in the response.
"This service requires an API key. For more information on authentication and Google Maps JavaScript API services please see: https://developers.google.com/maps/documentation/javascript/get-api-key"
So I read the page, and that's how and why I set everything up previously mentioned. But it still will not work, and I just can't figure out why.
What subtlety am I missing?
BTW, this is with Chrome if that means anything, haven't bothered with other browsers
<script type="text/javascript" src="https://maps.googleapis.com/maps/api/js?libraries=places®ion=us" key="xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx"></script>
You're setting an HTML attribute. The key should instead be included in the src URL according to the link you posted.
Straight from their example:
<script async defer src="https://maps.googleapis.com/maps/api/js?key=YOUR_API_KEY&callback=initMap"
type="text/javascript"></script>
Notice the location of "YOUR_API_KEY" in the URL. Your best bet when dealing with APIs like this is to look for examples and follow them as closely as you can, trying to understand them. Then modify them to suit your needs.
I found the some strange <script/> tags on a site:
<script src="chrome-extension://lifbcibllhkdhoafpjfnlhfpfgnpldfl/document_iterator.js"></script>
<script src="chrome-extension://lifbcibllhkdhoafpjfnlhfpfgnpldfl/find_proxy.js"></script>
...
I haven't been able to find much information on this, but I highly doubt this is actually related to Google Chrome since this site in particular is still using <table>s for layout, and the source in question was retrieved with curl not a graphical web browser.
So,
What on earth is this?
What is chrome-extension://
Why is it using lifbcibllhkdhoafpjfnlhfpfgnpldfl as a directory name
Why is it pretending to be valid URL to a javascript file?
Why would I need find_proxy or document_iterator
Solved. As far as I know...
chrixian was right, It seems that only on this and a few select other pages, someone had re-saved them from Chrome's source-view with the Skype extension installed.
Thanks everyone for all your help, +1's for all! enjoy!
That is actually Skype Click to Call chrome extension.
Manage and view it using this link
chrome://extensions/?id=lifbcibllhkdhoafpjfnlhfpfgnpldfl
If you are using cURL to get the page, you're getting the HTML as it exists on the server--so I think a safe assumption would be: the author of the page initially saved the page from Chrome, he had an extension installed that inserted these script tages and lastly he didn't remove the script tags for one reason or another before putting the page on the server.
This is added by chrome as the page loads, to inject the extension's Javascript code into the page, so it can access the HTML document.
The Skype extension causes it by inserting all kinds of junk in webpages that you visit.
Do you have the Skype browser extension installed for Chrome?
Just disable the extension.
Chrome, like Firefox, provides developers with an easy API to extend the functionality of the web browser without needing to actually download and build the browser to do so.
They also provide a robust delivery system. In Google's case, it's the Google Chrome Web Store.
Extensions are installed locally on your computer, and use long strings as directory names to reduce the risk of collisions with another extension. In other words, if you and I both named our extensions "mycoolextension", then there would be a problem if a person tried to install your extension and my extension. The long string helps prevent collisions such as this.
The chrome-extension:// protocol is used by the browser to make requests to these local resources. Chrome extensions are developed using HTML5, JavaScript, and CSS, along with an API exposed to allow the local JavaScript to perform actions it would not normally be able to do on the Internet.
When you see these in the Chrome developer tools, it's just the extension doing it's thing, whatever that may be.
If you're seeing these, then you likely installed some extensions from the Chrome Web Store. To view them, go to the Tools menu and select "Extensions". This will show you a list of all installed Chrome extensions and apps.
To learn more about extension development, see the Getting Started Tutorial.
Also, as someone else mentioned, you're using the Skype Call Extension. However, an app using that directory name doesn't appear in the first page of the search results. It might be worth doing some more research to make sure you got that extension from a legitimate source, whether that be Skype or the Chrome Web Store.
If you're seeing it in Chrome developer tools for every request you make, it means it has access to all your websites, which could be benign, like if they're just making phone numbers clickable, or it could be malicious, if it's scraping your bank account info and shipping it off to some third party server. :)
It's a Chrome extension, and chrome-extension:// is a URL for extensions to address their contents via Javascript.
lifbcibllhkdhoafpjfnlhfpfgnpldfl is the unique identifier for the extension. I can't find it with a search, but apparently it might be Skype.
It's not pretending... it is a valid URL. The Javascript file is located in the extension. If you were to look on your harddrive you'd probably find that very file in the extensions folder.
The functions its calling probably are some sort of detection used by the extension to see if it needs to enable itself.
See this for some additional information:
Checking if user has a certain extension installed
The context: I'm writing JavaScript to run an executable and tweak some registry entries on the client machine. I've signed the .JAR using SignTool and my company's Authenticode certificate, but running the script produces a dialog saying:
There is no mention of the root certificate authority (in this case Comodo, I believe), so I could just as well have generated a self-signed certificate to put the company name string in the dialog.
My question is: is this all the user is meant to see? This example page at jar:http://www.mozilla.org/projects/security/components/signed-script-demo.jar!/signed-script-demo.html shows the same dialog, but there's still a lack of any "examine this certificate" link or mention of a root CA.
Are there any recent resources for writing signed scripts? The mozilla pages are mostly several years old and many reference now-defunct documentation at developer.netscape.com.
-- Martin
The code that runs those signed jars and elevates privileges hasn't changed in years either, so that documentation should be correct. The code hasn't really been touched because nobody on the web uses that stuff. Yes, I'm aware of the chicken-egg problem here with the crappy UI.
You could try filing a bug with Mozilla about this, but I'm not sure it'd get worked on (but patches would likely be welcomed).
We were forced to use signed scripts to access our Firefox addon from JavaScript. I wrote my experience about it here.
Shortly:
encapsulate your privileged logic in separate HTML+JS page
make this page do actual work on page load
sign it and put to server (you need packaging, custom content-type, etc.)
on usual (unsigned) pages: load signed page into hidden IFRAME and interop with it using JavaScript callbacks