is there a possibility to set flags like allow-downloads or allow-popups in slate? i would like to generate small PDF files with custom functions, but since the code runs sandboxed the browser prevents opening popups or downloads.
Unfortunately this is not possible and as is a side effect of the sandboxing. The reason for the sandboxing, is to avoid non sandboxed code from pushing data outside of foundry, which would facilitate rogue actors to bypass security settings and steal data.
Related
I recently installed a nice Chrome Extension that is only useful from time to time. I would like to prevent it from gathering private data (history, email adresses, etc) when not in use.
Does the fact of disabling the extension stop all data sharing ?
Thanks a lot !
When the browser starts with a disabled extension, the extension never runs.
When you disable an extension that was previously enabled, its scripts/pages are terminated immediately except for the content scripts. If the extension doesn't have content scripts in currently open tabs, then the extension is completely expunged at this point.
When you disable an extension that was previously enabled and it has content scripts in some tabs, these content scripts keep running, but they can't communicate with the extension's core, which has been completely terminated and disabled, so they are bound by the restrictions of the site i.e. they can't send data to a cross-origin URL, but they still can expose the data implicitly by loading a hidden image or CSS stylesheet with the data added as a URL query parameter in case the site doesn't have a strict CSP (Content-Security-Policy). Most sites don't have a strict CSP.
You can reload all tabs or restart the browser to get rid of these leftovers.
Almost all useful extensions require permission to access and modify all data on a page.
We can't be sure that a chrome extension is malicious in the sense if it's leaking my data or not.
I realise that many extensions which I use for example the great suspender, even though it needs access to all site data, it doesn't need to communicate with outside world.
Is there a way to block specific chrome extensions from making any network requests at all. ( can we block all outgoing/incoming traffic to a chrome extension. )
I can't keep monitoring a extension 24/7 to see when is it leaking data, For all you know it could be leaking once a month.
No, there's no way to block just the network communication of an extension without blocking its site access (aka "host permissions") entirely. That's because a malicious extension can open a tab with its controlling site (or a hidden iframe in the background script) and insert js code as a standard DOM script which the browser will attribute to the page itself so it'll be able to communicate with the site's domain to upload the exfiltrated data.
So, what you can do practically is to protect the most sensitive sites you use from all extensions by adding a local ExtensionSettings policy with runtime_blocked_hosts that contains that site(s). This will prevent all extensions from accessing the entire site either via content scripts or network requests. Example: {"*": {"runtime_blocked_hosts": ["*://lastpass.com"]}}. And if you have an extension you trust then you can relax this rule for that extension by using runtime_allowed_hosts. See the policy link above for more examples.
We are creating a Word add-in where user can download documents. It worked perfectly fine, although in the console it gave a warning about downloading from an iFrame being deprecated.
After updating Chrome, I now get the following error when trying to download:
Download is disallowed. The frame initiating or instantiating the
download is sandboxed, but the flag ‘allow-downloads’ is not set. See
https://www.chromestatus.com/feature/5706745674465280 for more
details.
When following the above link, it provides the following information:
Chrome is planning on removing this capability - i.e. Chrome is going
to block all downloads initiated from or instantiated in a sandboxed
iframe by default. The embedder may add "allow-downloads" to the
sandbox attributes list to opt in. This allows content providers to
restrict malicious or abusive downloads.
How can I add "allow-downloads" or "allow-downloads-without-user-activation" to the sandbox attributes in the Word add-in?
Is there a workaround to enable downloading files?
I've had a Google Apps Script web app running for a bit over a year which gave users an option to download a csv file. It worked perfectly fine, although in the console it gave a warning about downloading from an iFrame being deprecated.
After updating Chrome, I now get the following error when trying to download:
Download is disallowed. The frame initiating or instantiating the
download is sandboxed, but the flag ‘allow-downloads’ is not set. See
https://www.chromestatus.com/feature/5706745674465280 for more
details.
When following the above link, it provides the following information:
Chrome is planning on removing this capability - i.e. Chrome is going
to block all downloads initiated from or instantiated in a sandboxed
iframe by default. The embedder may add "allow-downloads" to the
sandbox attributes list to opt in. This allows content providers to
restrict malicious or abusive downloads.
How can I add "allow-downloads" to the sandbox attributes in the Google Apps Script environment? Alternatively, is there a workaround to enable downloading files?
It is discussed here https://issuetracker.google.com/issues/157368720 that HtmlService.XFrameOptionsMode.ALLOWALL should set allow-downloads on GAS web app sandbox. We should watch this issue for changes.
Include sandbox="allow-downloads" in your iframe tag, which contains the code that is used for downloading the CSV file.
Update as of 07/29/2020:
The attribute "allow-downloads" has now been added to the sandbox attributes and there is no longer any issue downloading files.
There is one work around that I found if you have a download button, you can right click and open in a new tab. You have to rename the file but at least you can get it, until there is a fix.
My requirement is to show a panel where I list the local system directory, from where I drag and drop the files inorder to perform operations on it.
In HTML5 the FileSystem API is available , but most of the browsers are not supporting.
Is it possible by using input type as file? Like we browse and select a directory, then we can see the list of files and their details?
As the previous commenters correctly noted, this is not possible because it is considered a security hole. Think about a malicious script that could read out everything on your local file system just by visiting a web page.
You can however implement file drag-and-drop like this: https://github.com/moxiecode/plupload