I'm not very familiar with browser extensions and before I begin to deeply explore them I have a few questions.
Let's say the extension injects JavaScript in the current website the user is visiting (if that's even possible). That injected JavaScript code will get, let's say the current URL for example purposes, and send it and store it on a database. Next time the user visits the same website, the user will get an extension notification informing that is the second or third or X time he or she has visited the same website.
Now that I have gave you the scenario, is the following possible? Injecting JavaScript from a browser extension to the current visiting website. If so, can I make some AJAX communication with the JavaScript and a PHP server?
Yes, you can inject stuff. See e.g. Insert code into the page context using a content script and How to inject javascript into page, from a Firefox add-on, and run it? or one of the many dupes there likely are.
You can then use whatever communication would be available between the site and a server, e.g. XHR, WebSockets, JSONP.
Please also check the policies of the Chrome Web Store and Mozilla Add-ons site regarding content/code injection and privacy rules. E.g. the Mozilla Add-ons will reject your add-on if you injected remote scripts (meaning code that is not bundled, e.g. originating from e.g. http:) and may also reject your stuff if you track users without prior explicit user consent.
Related
I was wondering if there is a way to retrieve the URL scheme of a browser application using javascript (on mobile)?
For example:
You're browsing a web page on your phone using Google Chrome. Would it be possible for that page to run some javascript and retrieve the googlechrome:// scheme?
Thanks!
Edit:
I just found out that the 'navigator' object has a method called 'registerProtocolHandler' which lets websites register themselves as possible handlers for particular protocols.
This comes pretty close to what I need. The only problem is that this requires permission from the person who is visiting the website, which doesn't compliment the flow I'm going for. Also, it doesn't support Safari on iOS..
By the time your JavaScript is running on the webpage, the user's phone has used the URI Scheme (say googlechrome://) to choose a web browser it has installed. The browser then requests your site using a web protocol like http://. This is what window.location.protocol will provide.
So, JavaScript isn't aware of 'schemes' in the sense of 'browser applications'.
However, you can figure out the user's browser from their User Agent and then deduce a possible URI scheme from this. Still, you can't be certain the user didn't just open up Chrome and navigate to your site themselves, without ever tapping a link.
Note that user agents are not always reliable:
users of a browser can change the value of this field if they want (UA spoofing).
I'm trying write an extension which runs whenever you visit a steam profile. The extension gets the profile's ID, and should then call my database to check if they are a scammer, trusted middleman, etc.
I have written a version which works perfectly, however it has been denied by Google:
We routinely review items in the Chrome Web Store for compliance with
our Program policies to ensure a safe and trusted experience for our
users. Per our policies, where possible, make as much of your code
visible in the package as you can. If some of your app's logic is
hidden and it appears to be suspicious, we may remove it.
Your item was found to have requested/fetched one or more external
scripts. An example of one such instance in your item was found in
check.js line 18.
To have your item reinstated, please make any necessary changes to
ensure:
All of the files and code are included in the item’s package. Avoid
requesting or executing remotely hosted code (including by referencing
remote javascript files or executing code obtained by XHR requests).
The line of code in question is this:
fetch("https://www.example.com/check.php?id=" + id)
Is there a better/correct way of doing this that would be allowed in a web extension?
Thanks in advance.
This is not a question if a web application can be safe/secure to use !!
But if I have a session or encryption key and like to hide it as good as possible on the client side with javascript - what is the best approach?
I wanted to use sessionStorage until I found out that any extension can read this from the content script at least in Chrome. In my view this is a big mistake from the developers as they hide the web pages javascript from the extension but allow it to see web-storage. Everywhere it is stated that the extension can only see the DOM but I do not think most people think that this also include web-storage!
So how can I secure a session key so it is away from reach of an extension? Unable to encrypt it as I then just need to hide the key. The problem is that the session have to be valid for all pages of the site so I can not just keep it in javascript as it is refreshed on each page load.
A cookie is in my view just as bad!
NB: Do not know if this is also a problem for other browsers
An extension, given permission to access your page, can do anything.
A code injected as a <script> tag from a content script into the DOM will execute regardless of your CSP in the context of your page, will full access to your JS context.
That is not to even to mention chrome.debugger API.
So no, you cannot secure your client-side data from extensions that user consented to run on your page, just as you can't secure your data from the browser itself.
Some websites have JavaScripts which are used for browser fingerprinting. I know these type of scripts check and send data back to server like: browser user agent, screen resolution, fonts list and etc. So my question would be: is it possible to inspect these scripts from client side? If yes, how?
you can list all the scripts used by newer browsers thanks to performance.getEntries():
var scripts=[].slice.call(performance.getEntries())
.map(function(a){return a.initiatorType==="script" && a.name; })
.filter(Boolean);
alert(scripts); /* on this page in console: ["http://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js", "http://cdn.sstatic.net/Js/stub.en.js?v=aa4bf2e33f9d", "http://cdn.sstatic.net/Js/full.en.js?v=207a95000ab6", "http://cdn.sstatic.net/Js/snippet-javascript.en.js?v=3a04bf1d3cc0", "http://cdn.sstatic.net/Js/post-validation.en.js?v=59400b6b717e", "http://cdn-prom.sstatic.net/WinterBash/js/core.js?2", "http://cdn.sstatic.net/Js/external-editor.en.js?v=49dac339584c", "http://winterbash2014.stackexchange.com/api/is-participating?callback=wbParticipating2682405&accountId=2682405&host=stackoverflow.com&_=1418692483862", "http://cdn.sstatic.net/Js/wmd.en.js?v=988f5766f506"] */
if you know of any bad-behaving filenames, you can detect and counteract them, or feed the list of urls to something that can fetch and scan the script contents themselves; not sure what your end-goal is here...
Yes, it is possible to inspect any script on any website with the right debugging tools and time to sort through things.
For any given web site, you can run a debugger like the Chrome debugger, open the network tab and see all network requests that the browser makes. You would then have to sort through those requests to see which ones contained the information you are looking for. If you then wanted to find the scripts responsible for those requests, you'd have to work backwards in analyzing the site and scripts to figure out which script contains the code making the request.
I am not aware of any automated way to detect exactly which requests contain the information you want. Tools like Disconnect.me automatically shield your browser from some common tracking techniques of some common services, but that tool can also cause problems on some sites where the site won't then work properly.
How can I check if a certain link is found in Chrome's browsing history(on the computer that accesses the link) using JavaScript or jQuery? I am interested (if any) in the functions that I have to use. Also how can I get the date and time of the accessed link?
Retrieving the users history from javascript launched from a web page is impossible due to obvious blatant security issues.
Retrieving the users history from javascript running in an extension is possible, but doing so requires elevated permissions that the user has to grant after being warned. In summary you are probably looking for the chrome.history.getVisits() function. You can find more information on how to access the history using chrome.history here and the resulting security warnings given to the user here.
Nonono! That cannot happen. Unless you make a plugin, but I still doubt it.
This might be off topic but you might be interested in google analytics.
this chrome extension allow you to use browser address bar to search keywords, which will automatically search against your browser history and give you suggestion
Chrome webstore - history as bookmark
This is just not possible with Chrome because of security. What you would have to do is use cookies and add to the cookie each page the user is on along with the time visited.
Problem with this it will only track a user on your site not others. Cookies are only suppose to hold small amounts of info not long tracks of what page your user has been on. Also a user can disable cookies...
Another way is maybe doing this serverside and tracking the users IP through your pages and keep a list of what pages your user is visiting.