Read Chrome browsing history within extension - javascript

How can I check if a certain link is found in Chrome's browsing history(on the computer that accesses the link) using JavaScript or jQuery? I am interested (if any) in the functions that I have to use. Also how can I get the date and time of the accessed link?

Retrieving the users history from javascript launched from a web page is impossible due to obvious blatant security issues.
Retrieving the users history from javascript running in an extension is possible, but doing so requires elevated permissions that the user has to grant after being warned. In summary you are probably looking for the chrome.history.getVisits() function. You can find more information on how to access the history using chrome.history here and the resulting security warnings given to the user here.

Nonono! That cannot happen. Unless you make a plugin, but I still doubt it.
This might be off topic but you might be interested in google analytics.

this chrome extension allow you to use browser address bar to search keywords, which will automatically search against your browser history and give you suggestion
Chrome webstore - history as bookmark

This is just not possible with Chrome because of security. What you would have to do is use cookies and add to the cookie each page the user is on along with the time visited.
Problem with this it will only track a user on your site not others. Cookies are only suppose to hold small amounts of info not long tracks of what page your user has been on. Also a user can disable cookies...
Another way is maybe doing this serverside and tracking the users IP through your pages and keep a list of what pages your user is visiting.

Related

GDPR: youtube-nocookie embedded URL's, need visitors' permission?

This is my first time posting on Stack Overflow and I have a question about the GDPR.
Hi there! (This is ment to be on top of the post, but for some reason it gets deleted when I save it)
Situation:
On my website I don't want to bother visitors with cookie notifications, so the goal is to only place necessary cookies. However, there will be embedded YouTube video's on the website, which usually places tracking cookies.
After some research I stumpled upon the youtube-nocookie.com domain, which I am using now. Without using that domain, an embedded video url will be:
https://www.youtube.com/embed/7cjVj1ZyzyE
With using it, it is:
https://www.youtube-nocookie.com/embed/7cjVj1ZyzyE
By using the latter, cookies will only be placed after playing the video, and no tracking cookies will be placed (according to Google: https://support.google.com/youtube/answer/171780?hl=en under 'Turn on privacy-enhanced mode'). However, there will still be placed some cookies, and it is not clear for me if visitors will need to give permission for those, and if so, under what category (and maybe they are still tracking?).
Image of the cookies:
Image of cookies youtube-nocookies.com places
This is in Chrome. The cookies from the gstatic domain are placed on page-load for some reason. That doesn't happen in Opera.
Another weird thing is that FireFox (with allowing all cookies and trackers) and Edge don't seem to place any of the 6 cookies from the image at all.
Many sites and blogs say that this is the way to embed YouTube video's, but I can't seem to find a clear answer to the question if you still need visitors' permission for these cookies. Also on many sites where I only accept necessary cookies, I still have the possibility to view YouTube video's and the corresponding cookies will be happily placed without my consent.
Has anybody delt with this before?
Thanks in advance!
After some more research I think I found a clear answer. From a report of Cookiebot:
“Privacy-Enhanced Mode” currently
stores an identifier named “yt-remote-device-id”
in the web browser’s “Local Storage”. This
allows tracking to continue regardless of
whether users click, watch, or in any other way
interact with a video – contrary to Google’s
claims. Rather than disabling tracking, “privacyenhanced mode” seems to cover it up.
Source: https://www.cookiebot.com/media/1136/cookiebot-report-2019-ad-tech-surveillance-2.pdf
The 'yt-remote-device-id' indentifier, along with some other ones, are, even with the use of the youtube-nocookie.com domain (or 'Privacy Enhanced Mode'), still being placed on page load (given that the iframe with the set source is already part of the DOM at this point of course).
So while no tracking 'cookies' cookies are placed, the tracking has moved to the browsers localStorage (I overlooked this before), which basically means visitors actually do need to give permission before embedded YouTube video's with Privacy Enhanced Mode enabled should be loaded on the page.
Update
Gave some nuance in response to Marc Hjorth's comment.
i can confirm that the localStorage entry effectively replaces the funktion of the cookie. it is persistent and makes you identifiable across browser sessions. i get the same "yt-remote-device-id" value each time after restarts. only erasing the local storage makes a difference.

Retrieve URL scheme with javascript

I was wondering if there is a way to retrieve the URL scheme of a browser application using javascript (on mobile)?
For example:
You're browsing a web page on your phone using Google Chrome. Would it be possible for that page to run some javascript and retrieve the googlechrome:// scheme?
Thanks!
Edit:
I just found out that the 'navigator' object has a method called 'registerProtocolHandler' which lets websites register themselves as possible handlers for particular protocols.
This comes pretty close to what I need. The only problem is that this requires permission from the person who is visiting the website, which doesn't compliment the flow I'm going for. Also, it doesn't support Safari on iOS..
By the time your JavaScript is running on the webpage, the user's phone has used the URI Scheme (say googlechrome://) to choose a web browser it has installed. The browser then requests your site using a web protocol like http://. This is what window.location.protocol will provide.
So, JavaScript isn't aware of 'schemes' in the sense of 'browser applications'.
However, you can figure out the user's browser from their User Agent and then deduce a possible URI scheme from this. Still, you can't be certain the user didn't just open up Chrome and navigate to your site themselves, without ever tapping a link.
Note that user agents are not always reliable:
users of a browser can change the value of this field if they want (UA spoofing).

Coding browser extensions, Addons, Firefox, Safari, Chrome etc… Is this possible?

I'm not very familiar with browser extensions and before I begin to deeply explore them I have a few questions.
Let's say the extension injects JavaScript in the current website the user is visiting (if that's even possible). That injected JavaScript code will get, let's say the current URL for example purposes, and send it and store it on a database. Next time the user visits the same website, the user will get an extension notification informing that is the second or third or X time he or she has visited the same website.
Now that I have gave you the scenario, is the following possible? Injecting JavaScript from a browser extension to the current visiting website. If so, can I make some AJAX communication with the JavaScript and a PHP server?
Yes, you can inject stuff. See e.g. Insert code into the page context using a content script and How to inject javascript into page, from a Firefox add-on, and run it? or one of the many dupes there likely are.
You can then use whatever communication would be available between the site and a server, e.g. XHR, WebSockets, JSONP.
Please also check the policies of the Chrome Web Store and Mozilla Add-ons site regarding content/code injection and privacy rules. E.g. the Mozilla Add-ons will reject your add-on if you injected remote scripts (meaning code that is not bundled, e.g. originating from e.g. http:) and may also reject your stuff if you track users without prior explicit user consent.

Wiping browser history with javascript (or preventing URL from being recorded)

I have a client (domestic violence center) who wants to know if we can prevent their site from showing up in browser history, or wipe the users visit from their browser history when they exit the site.
I know once someone is on the site we can build it in ways that prevent new pages from loading like a normal page using location.replace for navigation, but that initial page visit when someone typed in http://example.org will still be in the history.
Is it possible on page load to prevent the page from being recorded in the history, or erase the record if it exists?
I have a bad feeling it can't, but if anyone will know it's all my smartypants friends on Stack Overflow.
Unfortunately this can't be done.
For your clients scenario, my best advice would be that users are educated on how to remove their visit from their browser history, and how to use anonymous browsing/private mode/incognito mode in future visits.
Quoting MDN:
There is no way to clear the session history or to disable the
back/forward navigation from unprivileged code. The closest available
solution is the location.replace() method, which replaces the current
item of the session history with the provided URL.
So I think what your client wishes for is just not possible.
Add script to recognise each browser, and provide browser specific steps to erase history/use incognito mode.
A properly configured proxy server may be of use in that context.

Two browsers on different machines view the same page

I am thinking of a remote help application where a user needs help navigating a web site.
How can a second user see what the first user is seeing so they can help them over the phone.
Could both users interact with the website?
Is there a solution that will work in any browser that requires no special downloads. I can imagine a simple system where the user browser updates the server with the current location URL but how to see the mouse clicks and dynamic Javascript changes etc.
Edit: This is called "cobrowsing" see wikipedia for a list of solutions
Why not use an existing screen-sharing solution, like http://join.me ?
unblu allows two users to interact with the same website
requires no download
works with Javascript/AJAX etc
works of SSL
can be either cloud or privately hosted
There are others that I have not investigated - you can see a list in the cobrowsing wikipedia page.

Categories