Verifying Javascript integrity with Firefox extension - javascript

I am working on an environment that relies on unedited scripts. All the basics are covered (secured location, https ...), but I'd like to add an additional check by verifying the scripts (calculating a checksum) in the users browser via a Firefox extension.
How would an extension be able to access the source of a loaded script? As I am fairly new to developing Firefox extensions, any hints are greatly appreciated.

Related

Google Oauth2 in Chrome Extension in background.js

I am building a Chrome Extension for my personal use (i.e. it will not be packaged and distributed) to dump data from a website into Google Sheets. I'd like to click on the Extension and have it process the data to my sheet. I believe this means I need to do the Oauth flow in background.js.
I did the initial authorization flow by customizing this Google Sheets demo, can't figure out how to make it work in my Extension.
I've tried a number of approaches, including using the chrome.identity API, and gapi.client.init(), and following the Chrome App sample. No dice.
Some of my questions...thanks in advance:
To what extent do Chrome Extensions mirror Chrome Apps? I understand that Chrome Apps are being deprecated, so wondering if the docs are inconsistent.
Is it possible to do this without packaging and uploading my app? The Oauth credentials page in Console asks for a Web Store URL
Is it acceptable to store a copy of Google's api.js in my extension, or must I load it from https://apis.google.com/js/client.js? If so,
For the Chrome App Sample, Where do I get the key included in manifest.json? I've seen instructions like "Copy key in the installed manifest.json to your source manifest" but I don't understand.
Is anyone aware of a complete, self-contained Chrome Extension sample?
To what extent do Chrome Extensions mirror Chrome Apps? I understand that Chrome Apps are being deprecated, so wondering if the docs are inconsistent.
Extensions and Apps are similar in many ways, however for your situation the main hurdle to overcome is the two handle Google Authentication differently. Extensions have permission limitations, where javascript can't run in certain places. Therefore, Chrome Extensions use chrome.identity in background.js to establish a secure connection and token. The general process to implement it is as follows:
Make a Chrome Extension, zip it, upload to your Google Dev account & get extensionID#
In Google API Console, register an OAuth ClientID# using the extensionID#
Update your Chrome Extension manifest to include an 'oauth2' section with the OAuth ClientID# as well as the scopes you allow, and include 'identity' under "permissions:"
Enable the API of your choosing in the Google API Console and generate a key. Include this key in your background.js file so you can use the API.
Is it possible to do this without packaging and uploading my app? The Oauth credentials page in Console asks for a Web Store URL
No, mainly because you need both the chrome extension and the API to be aware of each other and be 'linked' in a sense so they can be secure and work properly. You can still have a private app however, as you only need to package (.zip it) and upload it into your Developer Dashboard, and you can leave it out of the public Chrome Store by simply not publishing. It can forever linger in 'Draft' stage for your personal use.
Is it acceptable to store a copy of Google's api.js in my extension, or must I load it from https://apis.google.com/js/client.js? If so,
For the Chrome App Sample, Where do I get the key included in manifest.json? I've seen instructions like "Copy key in the installed manifest.json to your source manifest" but I don't understand.
You don't need to store a copy within your extension, you can add the following to your manifest.json:
"content_security_policy": "script-src 'self' https://apis.google.com/; object-src 'self'"
and then this at the bottom of your popup.html:
<script src="https://apis.google.com/js/client.js?onload=onGAPILoad"></script>
It's a rather confusing process without a guide; here is the one that finally made sense of it all for me. This official example from Google is a good one as well.
Is anyone aware of a complete, self-contained Chrome Extension sample?
'self-contained' is a bit tricky here, as the manifest needs to reference keys specific to the OAuth ClientID and API that YOU are utilizing, however this (download link) along with the two links above should be enough to get you to a working extension.

Chrome Application - Interract with a tab [duplicate]

I need to combine functionality available only in a Chrome packaged app (access to syncFileSystem) and functionality available only in a Chrome extension (injecting a script into a 3rd party website).
It seems that neither a packaged app nor an extension can achieve both these things, so I'm now considering trying to achieve what I'm after with a separate packaged app and extension communicating.
I see that Chrome's documentation explains how two extensions can communicate via chrome.runtime.onMessageExternal.addListener and chrome.runtime.sendMessage, but nothing about packaged apps and extensions communicating.
Does anyone know if this is allowed? Is there any documentation, or a working example out there?
Yes, that is possible. The code sample in the documentation you linked works for any combination of app and extension.
The extension documentation for chrome.runtime.sendMessage says:
Sends a single message to onMessage event listeners within the extension (or another extension/app).
Messaging works the same in both extensions and apps, and they seem to be fully compatible; simply use the ID for the destination extension or app. If you look at the docs for the app version of chrome.runtime.sendMessage, you'll see that it is identical to the extension version.

Is the Chrome FileSystem API only available for Chrome Apps (from Chrome Web Store)?

I downloaded the Chrome App samples from https://github.com/GoogleChrome/chrome-app-samples and tried running the FileSystem sample.
The code works when installed from Chrome Web Store, but I'm interested to know whether the FileSystem API can be made to work for non-Chrome-app cases. A simple experiment trying loading index.html on localhost served by my local Apache webserver exhibits a failure because chrome.filesystem is undefined.
Is Chrome Filesystem intended only for Chrome Apps (I can see that clues might be in the name of the samples repo and the fact that it uses a manifest.json) or is there a way of making it work for general (non-Chrome-app) web applications?
Thanks
Is Chrome Filesystem intended only for Chrome Apps
Yes.
is there a way of making it work for general (non-Chrome-app) web applications?
No. Normal web applications are subject to many security limitations (because you "install" them by visiting a webpage).
A simple experiment trying loading index.html on localhost served by my local Apache webserver
Loading resources over HTTP can be done using the XMLHttpRequest object. No escalated privileges on the client required.

upload chrome extension to store including native application

I have my first brand new google chrome extension, which I'd like to upload to the chrome web store. The thing is that my extension is using native messaging via stdio to a c++ exe. The extension also required a registry key to be installed.
Is it possible to upload the required files to the chrome web store (including exe and dll dependency)? Is there a way to automate the installation of the registry key (required to send messages from chrome extension js to exe), and register dll?
The idea behind chrome-extensions (and native messaging) is to limit the giant security hole that is NPAPI: to create a divide between the browser and the desktop that runs it. For this reason, you'll need to perform two separate installations: one for the extension and another for the native code.
To the best of my knowledge, you can't bundle the binary with the extension. But you might be able to (partially) do it the other way around: have the native code also install the extension:
There is a way to partially automate the process of installing the extension: you can pre-load the extension via the registry. This only applies to extensions on the chrome web-store (CWS). I believe this requires to reboot chrome. And of course the user is notified that an extension was installed. see here - https://developer.chrome.com/extensions/external_extensions
There's also something called "inline installation" - not quite "automatic", but this should make it easier for your users to install the extension from "within" your site (as opposed to the CWS). The extension still needs to be hosted on the CWS, but the user needs not navigate there.
see here - https://developer.chrome.com/webstore/inline_installation (and especially the line section - about verified site - which requires that you register your site with Google - and thus may render this technique useless to you)

Safari 5.0 Extension Scripts Won't Run on Local Files

I wrote a very simple extension for Safari 5 that only outputs a single log message from a start script. This is the start script:
console.log('start script running');
If I go to any internet page (eg. http://www.yahoo.com) the log message appears in the error console. But if I open any local html page no log message appears. By local I mean on my local machine. It's like my start script never gets run for local pages (eg. C:/blank.html).
Is there a permission setting I'm overlooking or is this a feature of Safari 5?
Brent
Caveat: I only have a passing familiarity with the Safari extension system. I work on Google Chrome which is based on Webkit. Safari is also based on webkit.
In a Google Chrome extension, you can inject a script into a local page using the file:// permission. But I’m pretty sure there’s no analogue for Safari extensions.
The Safari page on script injection also seems to say you can’t interact with local files:
“You cannot access resources on the user’s hard drive outside of the extensions folder.”
There is no way to inject scripts on local files.
If you feel like it, you may complain at bugreport.apple.com.

Categories