I am trying to work out how to best implement direct firefox-addon installation from my website. Besides simply prompting the user to install the addon, I would also want to get the result of the user action (accepts installation or cancels it).
Research on google generally points to the use of InstallTrigger.install(), which works fine except that there is no functional callback that I can use to know the result of the user's action.
Though InstallTrigger.install() does accept a callback, the callback is not fired unless the current viewing page is a whitelisted domain (e.g. AMO):
https://developer.mozilla.org/en-US/docs/Archive/Mozilla/XPInstall/Reference/InstallTrigger_Object/Methods/install
So I am wondering:
Is there any alternative way to get the result of the addon installation, and
Does mozilla have anyway to accept a domain into their default addon installation whitelist.
Thanks a lot!
Just to get this question off the Unanswered list.
The XPInstall whitelist only contains Mozilla's sites, so Mozilla doesn't seem to have a way to accept a domain into their default addon installation whitelist.
The browser itself will not notify the untrusted web page about the results of the add-on installation. If your extension is restartless, it can notify the page it has been installed via postMessage.
Related
I have my first brand new google chrome extension, which I'd like to upload to the chrome web store. The thing is that my extension is using native messaging via stdio to a c++ exe. The extension also required a registry key to be installed.
Is it possible to upload the required files to the chrome web store (including exe and dll dependency)? Is there a way to automate the installation of the registry key (required to send messages from chrome extension js to exe), and register dll?
The idea behind chrome-extensions (and native messaging) is to limit the giant security hole that is NPAPI: to create a divide between the browser and the desktop that runs it. For this reason, you'll need to perform two separate installations: one for the extension and another for the native code.
To the best of my knowledge, you can't bundle the binary with the extension. But you might be able to (partially) do it the other way around: have the native code also install the extension:
There is a way to partially automate the process of installing the extension: you can pre-load the extension via the registry. This only applies to extensions on the chrome web-store (CWS). I believe this requires to reboot chrome. And of course the user is notified that an extension was installed. see here - https://developer.chrome.com/extensions/external_extensions
There's also something called "inline installation" - not quite "automatic", but this should make it easier for your users to install the extension from "within" your site (as opposed to the CWS). The extension still needs to be hosted on the CWS, but the user needs not navigate there.
see here - https://developer.chrome.com/webstore/inline_installation (and especially the line section - about verified site - which requires that you register your site with Google - and thus may render this technique useless to you)
I have chrome extension which get installed with using installer which install some process and browser extensions. As per chrome security changes stand alone installation will be blocked.Google to block local Chrome extensions
If we host extension on chrome store what are the ways we can redirect chrome from installer to install extension.
According to the Chromium Blog:
If your extensions are currently hosted outside the Chrome Web Store you should migrate them as soon as possible. There will be no impact to your users, who will still be able to use your extension as if nothing changed. You could keep the extensions hidden from the Web Store listings if you like. And if you have a dedicated installation flow from your own website, you can make use of the existing inline installs feature.
So, basically, what you need to do is:
Host your extension on the Chrome Web Store (optionaly keeping it hidden from the listings).
Have your installer open a Chrome browser window pointing to a webpage on your site.
On that page have all necessary info and data for the user to initiate the extention's installation process. (The key concept here is that the user has to initiate the installation process, e.g. by clicking a button.
How does inline installation work:
The HTML page on your site from which you want inline installation to occur must contain one or more tags in the section referencing the items that the user can install. Each tag must have the following format:
<link rel="chrome-webstore-item" href="https://chrome.google.com/webstore/detail/itemID">
To actually begin inline installation, the chrome.webstore.install(url, successCallback, failureCallback) function must be called. This function can only be called in response to a user gesture, for example within a click event handler; an exception will be thrown if it is not.
(emphasis mine)
More info on the inline installs feature.
I want to implement in my website a functionality like in google chrome website, that a user click on a website form and the file will auto download and install itself without any user approve or interferance.
Here is the google chrome website: https://www.google.com/chrome/index.html?hl=iw
I know that they use clickonce technology by ms for IE and oneclick technology by google for all other browsers, but there is a way that i can also use thier code and their technology to run my own files?
I know they also use google update task that runs on windows background but I dont know how to use it with my own files.
As far as I know, this functionality is possible only if the client has .NET Framework (version 4 I guess), and your domain is in the trusted domains list of the user's preferences for this functionality. So this would work only on Windows platform, and your domain need to be added to the mentioned list (what is unlikely to happen I guess). A short answer is NO, you can't do this, if you are not a corporation like Google.
Bonus: You don't need it, users do not like to be tricked, they want to know everything that happens with they computer.
For security reason, you cannot access file from your website. What would happen if a user open a website, and they got some programs installed in their machine? That's gonna be serious problem
While debugging a client app that uses a Google backend, I have added some debugging versions of the functions and inserted them using the Chrome Developer Tools script editor.
However there are a number of limitations with this approach, first is that the editor doesn't seem to always work with de-minified files, and when the JS file is 35K lines long, this is a problem.
Another issue is that all the initialization that is done during load time, uses the original "unpatched" functions, hence this is not ideal.
I would like to replace the remote javascript.js file with my own local copy, presumably using some regex on the file name, or whatever strategy was suitable, I am happy to use either Firefox or Chrome, if one was easier than the other.
So basically, as #BrockAdams identified, there are a couple of solutions to these types of problem depending on the requirements, and they follow either 1 of 2 methods.
the browser API switcharoo.
The proxy based interception befiddlement.
the browser API switcharoo.
Both firefox and chrome support browser extensions that can take advantage of platform specific APIs to register event handlers for "onbeforeload" or "onBeforeRequest" in the case of firefox and chrome respectively. The chrome APIs are currently experimental, hence these tools are likely to be better developed under firefox.
2 tools that definitely do something like what is required are AdBlock plus and Jsdeminifier both of which have the source code available.
The key point for these 2 firefox apps is that they intercept the web request before the browser gets its hands on it and operate on the other side of the http/https encrpytion stage, hence can see the decrypted response, however as identified in the other post that they don't do the whole thing, although the jsdeminifier was very useful, I didn't find a firefox plugin to do exactly what I wanted, but I can see from those previous plugins, that it is possible with both firefox and chrome. Though they don't actually do the trick as required.
The proxy based interception befiddlement This is definitely the better option in a plain HTTP environment, there are whole bunch of proxies such as pivoxy, fiddler2, Charles Web HTTP proxy, and presumably some that I didn't look at specifically such as snort that support filtering of some sort.
The simplest solution for myself was foxyproxy and privoxy on firefox, and configure a user.action and user.filter to detect the url of the page, and then to apply a filter which swapped out the original src tag, for my own one.
The https case. proxy vs plugin
When the request is https the proxy can't see the request url or the response body, so it can't do the cool swapping stuff. However there is one option available for those who like to mess with their browser. And that is the man-in-the-middle SSL proxy. The Charles Web HTTP proxy appears to be the main solution to this problem. Basically the way it works is that when your browser makes a request to the remote HTTPS server, the ssl proxy intercepts the request and from the ip address of the server generates a server certificate on the fly, which it signs with its own root CA, and sends back to the browser. The browser obviously complains about the self-signed cert, but here you can choose to install the ssl proxy root CA cert into the browser, befuddling the browser and allowing the ssl proxy to man in the middle and make replacements and filters on the raw response body.
Alternative roll your own chrome extension
I decided to go with rolling my own chrome extension, which I am planning to make available. Currently its in a very hardcoded to my own requirements state, but it works pretty good, even for https requests and another benefit is that a browser plugin solution can be more tightly integrated with the browser developer tools.
I have a website which uses some functionality implemented in the Firefox extension, which I developed. JavaScript script on one of my webpages requires UniversalXPConnect privilege for communicating with XPCOM component implemented in my Firefox extension.
By default, when my script tries to enable this privilege for accessing XPCOM component:
netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect");
... the following error occurs:
Error: A script from "http://example.com" was denied UniversalXPConnect privileges.
To enable this privilege currently users need to manually edit "signed.applets.codebase_principal_support" setting in "about:config" Firefox page.
From this page: http://www.mozilla.org/projects/security/components/signed-scripts.html I learned that it is possible to explicitly sign my webpage containing script which requires this privilege. After I sign my script users will not need to manually edit above mentioned setting.
Website is hosted on Linux platform under Drupal CMS.
I would very much appreciate if you could give me detailed step-by-step instructions on how do I sign my script (what tools should I download, how to create certificate, etc.), such that after following your instructions editing about:config setting will not be necessary.
As of Firefox 16 signing the script will not likely work since support for universalXPconnect seems to have been removed and you should now use an add-on for added privileges although I don't know how. https://bugzilla.mozilla.org/show_bug.cgi?id=546848
EnablePrivilege is disabled in Firefox 15 and will be removed in Firefox 17.
check out this:
https://developer.mozilla.org/en-US/docs/Bypassing_Security_Restrictions_and_Signing_Code