In my app, I am currently using a web view to display some content. Then, I use Javascript injection to quickly fill out the form for the user.
The only issue is, Webviews are incredibly slow compared to Chrome Custom tabs. Is it possible to inject Javascript code into these custom tabs?
For example, here is some code I currently use:
myWebView.loadUrl("javascript:document.getElementById('join_first_name').value='" + name + "';void(0); ");
No; that would be a critical security hole.
Since custom tabs use cookies, settings, and password managers from the user's real Chrome instance, you cannot control them at all.
Chrome prohibits you from doing any of that. If this were allowed then it would be a major security flaw since you can modify the page within the app.
Suppose you have an app that has a facebook sign in. If this were possible, one could also steal someone's login credentials.
With Chrome Custom tabs, you don't have much control over the content that is served. You should probably try an alternative, like passing the first name as a URL parameter and then write a script on that page to read the parameter and fill the form out.
you need to do it like that by using data:text/html, as prefix for your script
Try that in your browser tab
data:text/html,<script>alert("hello")</script>
it will fire the javascript and alert , and as well you can print some in html from url
so i guess you need just to open the tab with the script
String suffix = "data:text/html,"
String script = "<script>document.getElementById('join_first_name').value='" + name + "';</script>"
String url = suffix + script
myWebView.loadUrl(url);
It's browser behaviour in desktop and mobile
I haven't try it in WebView.loadUrl and actually still if it's done by WebView.loadUrl it will be a security hole
There's supposed to be no way to inject Javascript to Chrome web browser.
If you can execute the Javascript queries to chrome via some third party apps, thereby you can read all the cookies, clear every sessions, and whatever the javascript is capable of. Which is really a huge security flaw.
What you can do is to load your URL in webview and execute the javascripts there. That's the only possible i've ever heard of. This is the same technique used for EPUB documents, where we load the complete HTML content in webview then we execute external Javascript queries into that view, so you can modify the HTML, CSS attributes.
Related
I have a legacy web application that we are not allowed to modify yet. We need to add a new function to the application in the short term. We have been told that we may modify the webpage with any local scripts we want but we have to wait 4 months before they will unlock the application.
So my goal is to create a webpage locally, click on that local html file and have it open the url for the legacy application, and then inject the new JavaScript function to the application.
On "your" page, use an iFrame to "import" the page you cannot edit, on your page add whatever modifications you need/want.
If there is no server side scripting on the page, then copy the page source to your page, and add whatever you want to it. It is difficult to give you a focused answer without having access to or more information about the actual legacy page.
It can't be done directly since browsers prevent cross site scripting so injecting js from local machine will complain with same origin errors the only workaround i know is to use developer tools and open console then you can type your JavaScript there and run it directly
I'm trying to develop a Chrome extension that is supposed to completely replace a specific website's pages with a new UI. In other words, when the user visits said website, the extension should "intercept" it seamlessly and display the new "app" (preserving the URL and without opening a new tab or window). I currently use a content script to manipulate the DOM, but it's too messy.
Chrome apps such as Google Docs achieve the same goal through URL handlers, but they're not an option since they're now deprecated.
Currently, I'm aware of two options:
Intercept the URL and redirect it to an extension URL. I want the URL to be preserved.
Use a content script to stop the page from loading at document_start (using window.stop()) and then "inject" the new app. Apparently, that works, but it sounds quite hacky and prone to unexpected glitches.
What I'd like to know:
Is the second approach good enough? What limitations and other issues will I face if I use it?
Is there any other approach that is at least as good (and preferably designed for this purpose)?
You can't open a chrome app in a tab, only in a window. I don't think they have content scripts either.
Also, chrome apps are now only available on chrome os when you publish it for the first time (existing chrome apps work for any os).
To solve your question, you could use an extension with content scripts and just open up an iframe fullscreen so the url is preserved in the omnibox and it could have the page you want in the iframe as the page that would be in the app.
Content handlers are meant for opening a special protocol url to do something like send an email, etc. Examples would be like tel://, sms://, mailto:, etc.
So you would not want this. Also they aren't that noticable when approving to handle the protocol.
This is not a question if a web application can be safe/secure to use !!
But if I have a session or encryption key and like to hide it as good as possible on the client side with javascript - what is the best approach?
I wanted to use sessionStorage until I found out that any extension can read this from the content script at least in Chrome. In my view this is a big mistake from the developers as they hide the web pages javascript from the extension but allow it to see web-storage. Everywhere it is stated that the extension can only see the DOM but I do not think most people think that this also include web-storage!
So how can I secure a session key so it is away from reach of an extension? Unable to encrypt it as I then just need to hide the key. The problem is that the session have to be valid for all pages of the site so I can not just keep it in javascript as it is refreshed on each page load.
A cookie is in my view just as bad!
NB: Do not know if this is also a problem for other browsers
An extension, given permission to access your page, can do anything.
A code injected as a <script> tag from a content script into the DOM will execute regardless of your CSP in the context of your page, will full access to your JS context.
That is not to even to mention chrome.debugger API.
So no, you cannot secure your client-side data from extensions that user consented to run on your page, just as you can't secure your data from the browser itself.
Note: I haven't been able to find question on the site, if it exists close this as duplicate.
For out application we have a browser based client using javascript. Our application follows client server architecture, but is deployed only on premise ie it is not exposed to web.
I am thinking of providing limited scripting support to user (using javascript) somewhat similar to that providing in desktop based application (like matlab)
Is it safe to allow user to script.
What is the safe way to implement (eval, using iframe etc)
From a security perspective: Running scripts on the page is not a problem, A user can already do that by pressing f12 and opening up the console.
The problem is if you allow users to save js into your db which is then loaded on the page by another user.
Imagine if you had a commenting system that allowed script tags, a potential prankster can now perform any of the functions the user can.
Or even anchor tags click on me
If it is just for the user, I would append the scripts to the body.
var scr = document.createElement("script");
scr.textContent = 'alert("hi")';
document.body.appendChild(scr);
I am monitoring browser events such as when a new tab is created. My extension needs to display these browser events in the new tab page.
To make versioning easier I would like the extension to be as dumb as possible. That is, all it needs to do is tell me is that a tab has been created and I need to be able to tell the extension to switch to a tab. Then I do not have to worry about what extension versions people have installed.
The new tab page so far is a redirect to my single-page app hosted on my server.
My options seem to be:
Using custom events to send messages between the content script and embedding page: http://code.google.com/chrome/extensions/content_scripts.html#host-page-communication
This seems like a security risk as the page javascript will also have access to the DOM and hence the messages I am exchanging.
Loading the HTML from server into an iframe, pulling application JS from server and injecting it into the iframe as a contentscript. This allows the app's JS to have full access to the chrome extension API which is what I need.
Another consideration is that my project is currently using RequireJS. For option 2, it seems I won't be able to use this.
Can anyone recommend the preferred option keeping in mind the security risks of option 1?
Will I be able to use RequireJS with option 2?
Is there another way to acheive this?