Ways to notify/alert the user in Firefox's WebExtensions - javascript

I'm developing cross-browser extension using WebExtensions API. It's focused on monitoring some HTTP request and blocking potentially malicious ones. I need to get user input for each blocked host (because it could have been falsely blocked and user might want to unblock it right away). Originally I wanted to use popup, but then I found out, that popups are only allowed to be thrown up in User Action event handler, which is a problem, I need to to that independently on the user's action. After that I found second option - the Chrome's notification API. But again, found out, that Firefox does not implement buttons in notifitacions (even though Chrome does). OnClicked event is supported for notification, but that's not enough (mainly because of users accidentally clicking on the notification to close it).
TL;DR - Looking for a way to alert/notify user and get the input from him by clicking on one of two presented buttons. Popups and Notifications does not seem like sufficient way.
Can you suggest ways to implement desired behaviour?
Possible solutions:
1) Injecting content script that implements popup window and communicates via messages with bacgkround script.
2) Simulating animation of extension's icon to draw user's attention.

Related

Is it possible to create a button that opens a specified website in a new tab and closes the current one?

I am creating a WordPress website for a client. This website offers support for victims of abuse, and my client wishes for a "panic" button on the website that, when clicked, either:
a) sends the user to a specified website (for example google.com) and then erases the history of the Back button
b) opens a specified website in a new tab (which eliminates the Back button issue) and then closes the current one.
I tried adding a simple button like this:
<button onclick="window.close();">Close</button>
But then I get this in the console:
[Warning] Can't close the window since it was not opened by JavaScript
If this is not possible to do by using Javascript, are there any other ways I can go about doing it?
Not possible.
The problem you're up against is that the browser doesn't allow Javascript to control things like opening and closing tabs, and rightly so. A web page really shouldn't be able to access or control things outside of its tab, this is a concept called sandboxing. Web pages are free to play in their own sandbox, but aren't allowed to know about or change things outside their sandbox. "Browser history" and "Other tabs" are both outside your web page's sandbox.
It's not that this is impossible in JavaScript, it's going to be impossible for any well designed browser, full stop. It's not a question of what technology you could use to accomplish this, it's a behavior that's explicitly prohibited by design. If you could do this on a major browser, you would probably be offered a bug bounty. Imagine what a malicious actor could do with the ability to modify the history in the back button, or to close other tabs.
Beyond that, I'm concerned about the approach that your employer is taking. Abusers are often more technically savvy than their victims, and a "panic button" like that won't even affect the browser's overall history, let alone defeat any advanced monitoring like spyware, or a fancy router's DNS monitoring. Victims of abuse should be discouraged from using devices or networks they believe are compromised and should seek help through trusted and secure channels of communication. I'm troubled that any sort of "panic button" functionality could create a false sense of security for a user that is not security-savvy.

Chrome extension JS event for browser notification + method to modify

I'm writing a chrome extension which will perform some actions when a system notification pops up. Specifically, I want to close them.
For example: the "Restore pages?" notification:
My manifest file has nothing particularly interesting, here is my event page:
function anyAlarmHandler (Alarm anyAlarm) {
// For now, just clear any alarm when one pops up.
chrome.alarms.clear(anyAlarm);
}
chrome.alarms.onAlarm.addListener(anyAlarmHandler);
But it doesn't clear the system notification as expected.
I suspect that I'm listening for the wrong event, that system notifications are not actually considered an alarm. But the 'notifications' API doesn't have anything regarding catching notifications.
I've looked at this question regarding catching notifications, which might work, but it doesn't help with the following:
I need to catch notifications created by the browser itself, not another extension (this might not matter, I'm not sure)
I need to modify that notification. Change the text, close it, whatever.
I've tried using the code in the link above and just popping some dialogue box when a notification happens (to test if that solution works for detecting browser notifications), but even that didn't work. I'm hoping that I'm just missing some method/event listener in some API, but I can't seem to find it anywhere. Any help is appreciated.
You cannot detect, or override, any of the Chrome's own UI popups like this.
Only another native app could potentially interact with them (e.g. simulate a click).
Short of patching Chrome (in-memory or on disk), you won't be able to change the wording.

Is it possible to make custom "allow" popup in browsers like chrome & firefox?

I have website that uses Twilio API to make calls. Each time call is made a popup from google chrome comes up saying "http://www.URL.com/ wants to use your microphone. Allow / Deny". On firefox also it comes up in a dialog.
Is it possible to apply CSS to it or somehow customize the way Allow/Deny popup shows up? Or maybe show another custom dialog that has custom buttons of Allow/Deny and when Allow is clicked somehow triggers browser Allow button?
The whole point of these popups is that the browser is warning the user that the site wants to do something which could have security implications. Being able to modify or supress that popup could stop the user from realising the security implications.
Consider a malicious hacker who wanted to listen in to a user's conversation.
If your request could be done, it would be easy for him to pop up a message saying "This site wants to show you something pretty", instead of "wants to use your microphone". User presses "accept" without realising what's happening, and hacker gets to record all their conversations. Ouch.
The short answer, therefore, is no, you cannot modify these popups, for security reasons.
You might be able to convince the user to hit accept and tick the "don't ask me again" box if the browser provides it, but that's as close as you'll get. You definitely will not be able to get rid of the box entirely, nor will you be able to customise it in any way.
It's worth noting that even native apps on mobile devices give you the same kinds of warnings when you install them, so this isn't a browser-specific thing. If you're doing something that the user might possibly have any reason to object to for security or privacy reasons, then the system will warn them before allowing it.

Is it possible to update a javascript method via debugger in firefox and chrome?

Does anyone knows the steps to change javascript function via debugger in firefox or chrome? Is there any serious security concerns in it?
The steps to change JS function using chrome devtools are as follow:
Open chrome dev tools (you can use right-click and then choose inspect element).
Open the 'Source' tab.
Choose the javascript file that contain the function you wish to change.
Edit the code.
Click on 'ctrl-s' to save it.
You are done. If this code is being called from an event on the page (e.g. click on a button) you will be able to see your changes without any reload.
As for security concerns, you should always validate the user input on the server side. On the client you should 'guide' the user to enter the right data but never trust it. There are many cases where someone will be able to change the data 'on the fly' (=man in the middle) so you should never trust the client.

Display popup without security warning

I use Silverlight and I'm trying to get some data to the user side. I can easily display PDF file with an <embed> tag in the browser.
However, I also have to be able to save files form the server. I tried the SaveFileDialog from Silvelright but it doesn't allow setting the file name (which is an issue).
I tried setting a hidden <iframe> source to the URL from the server but that triggers a security warning and it's not good either (there would be too many clueless users calling because it doesn't work).
I tried calling window.open to trigger a new popup set to the URL. That works OK but again there's a security warning.
Is it possible to get rid of that security message? I know it's possible in Javascript.
An exampel is on the site
http://livetecs.com
(go to the live demo, then project manager and open a report in a new window: no security warning!)
How do they achieve that behavior?
If there's any other way to get my reports saved Silverlight I'd be very interested to hear about them.
EDIT: The warning I'm talking about is the Pop-up blocked. To see this pop-up or additional options click here.. banner appearing on top of the page.
Cheers.
There is no way around the pop up blocker when you open up a window without a user action. If there was a way around that, than the pop up blockers would be useless.
Only way to avoid the security message is to have the users add your site to their safe list.
OK, after much fiddling I came accross the Silverlight built-in pop-up window that I couldn't use before.
The only limitation is that it can only be triggered by a user action (which is fine in this context() PopUpWindow at MSDN
It fits the bill perfectly and I couldn't use it before because I wanted to pre-generate the report files before opening the pop-up (and thus I wasn't in a user event context anymore).
I'm going to create a report generation page that will display a status message and then show the report (I haven't worked out yet how I'll do that though).

Categories