I recently installed a nice Chrome Extension that is only useful from time to time. I would like to prevent it from gathering private data (history, email adresses, etc) when not in use.
Does the fact of disabling the extension stop all data sharing ?
Thanks a lot !
When the browser starts with a disabled extension, the extension never runs.
When you disable an extension that was previously enabled, its scripts/pages are terminated immediately except for the content scripts. If the extension doesn't have content scripts in currently open tabs, then the extension is completely expunged at this point.
When you disable an extension that was previously enabled and it has content scripts in some tabs, these content scripts keep running, but they can't communicate with the extension's core, which has been completely terminated and disabled, so they are bound by the restrictions of the site i.e. they can't send data to a cross-origin URL, but they still can expose the data implicitly by loading a hidden image or CSS stylesheet with the data added as a URL query parameter in case the site doesn't have a strict CSP (Content-Security-Policy). Most sites don't have a strict CSP.
You can reload all tabs or restart the browser to get rid of these leftovers.
Related
Almost all useful extensions require permission to access and modify all data on a page.
We can't be sure that a chrome extension is malicious in the sense if it's leaking my data or not.
I realise that many extensions which I use for example the great suspender, even though it needs access to all site data, it doesn't need to communicate with outside world.
Is there a way to block specific chrome extensions from making any network requests at all. ( can we block all outgoing/incoming traffic to a chrome extension. )
I can't keep monitoring a extension 24/7 to see when is it leaking data, For all you know it could be leaking once a month.
No, there's no way to block just the network communication of an extension without blocking its site access (aka "host permissions") entirely. That's because a malicious extension can open a tab with its controlling site (or a hidden iframe in the background script) and insert js code as a standard DOM script which the browser will attribute to the page itself so it'll be able to communicate with the site's domain to upload the exfiltrated data.
So, what you can do practically is to protect the most sensitive sites you use from all extensions by adding a local ExtensionSettings policy with runtime_blocked_hosts that contains that site(s). This will prevent all extensions from accessing the entire site either via content scripts or network requests. Example: {"*": {"runtime_blocked_hosts": ["*://lastpass.com"]}}. And if you have an extension you trust then you can relax this rule for that extension by using runtime_allowed_hosts. See the policy link above for more examples.
What is the purpose and the code content of the "Proxy Script" that Chrome attempts to load every time a new page is loaded?
An easy way to trigger this message is to turn on and off Airplane mode:
This happens when your computer's network settings have a HTTP proxy configured. The proxy auto-config (PAC) script file is specified in those settings; Chrome then downloads it and runs it to determine whether and how each request will be proxied. The script is provided by your proxy, not Chrome.
If you are not intentionally using proxies, you should remove the proxy configuration as it might be either unnecessary or malicious. But if this is a machine owned by your employer, it is probably intentional.
I'm not sure if this work the same way on all OSes, but for me on macOS, there's a link from Chrome's settings to the OS network settings:
The reason the message pops up when you enter/exit airplane mode is probably because that counts as a change of network configuration (between "no internet (and no proxy)" to "yes internet and also proxy"), and it's making sure it has the latest PAC script.
If you want to find out what the script contains, copy the PAC URL out of your network settings and download it separately; then you can read the code (which is JavaScript).
I want to change the fixed geolocation country of Google search. The only way without using a VPN I have found is adding gl=[country_code] to the URL. I created an extension for my use and added that part to the Google search URLs, and it worked. But I recently found that the auto completion (Suggestion) is not changed to the web page's country. That is, even though at the left bottom of Google's home page says "United States", the auto completion is still set to my geo-location, and giving a different list.
After some testing, I have found that Google calls https://www.google.com/complete/search... in the background, and if I append gl=[country_code] to the URL, I can change the country of auto completion. But adding https://www.google.com/complete/search?* like below did not work (modifyUrl was not called).
chrome.webRequest.onBeforeRequest.addListener
(
modifyUrl,
{urls: [
'https://www.google.com/search?*',
'https://www.google.com/webhp?*',
'https://www.google.com/complete/search?*' ],
types: ['main_frame']},
['blocking']
);
Is there any way I can modify the auto completion URL? If there is a better way to change the country without using a VPN, I can use that, too.
Auto-complete searches in google.com site
These are performed via standard JavaScript XHR/fetch (use devtools to inspect the request's details) so you need to specify the type as xmlhttprequest when registering a webRequest listener, not main_frame.
Auto-complete searches in the address bar
These aren't reported to extensions since Chrome 71.
Quoting the reasons behind this decision from crbug.com/884932:
browser initiated requests which may be sensitive in nature or affect browser functionality
https://update.googleapis.com/service/update2 (component updater)
https://www.googleapis.com/chromewebstore/v1.1/items/verify (install signer, used for extension install verification)
https://clients2.googleusercontent.com/crx/blobs.... (downloading crx packages after sync)
https://lh3.googleusercontent.com/.... (Extension icon on the install dialog triggered from webstore)
https://www.google.com/complete/search?client=chrome-omni.. (related to omnibox)
https://www.google.com/async/ddljson?async=ntp:1 (related to ntp doodle)
https://www.google.com/chromesuggestions?t=1
https://cuscochromeextension-pa.googleapis.com/v1/omniboxsuggestions
https://googleapis.com/oauth2... (calls to gaia urls)
For example, one can easily prevent extension install verification or downloading synced extensions by blocking some of these requests. This may have other security implications as well.
We have implemented custom one-off solutions in the past to prevent things like this (e.g. we prevent extensions from intercepting browser initiated requests to some web store urls, safe browsing urls, one google bar requests made on behalf of the NTP etc.).
It seems to me that a more completion solution would be to prevent extensions from intercepting any non-navigation browser initiated requests.
The documentation was also updated:
[...] certain requests [...] are hidden [...] https://www.google.com/chrome, and other sensitive requests core to browser functionality.
Auto-complete searches in the default new/empty tab
The input box in the middle is a "fakebox" that merely focuses the address bar so it's the same as address bar search mentioned in the previous section. The search box be implemented as a real input (see crbug.com/243926) but it'll be still a part of the core browser UI, hence not exposed to extensions' webRequest.
I am not able to run my content script on the new tab page (where it is not assigned to any url).
I looked at various posts on the subject, ie, Does content script have access to newtab page?
and What is the URL of the google chrome new tab page and how to exclude it from manifest.json
which seem to suggest it is possible.
I enabled chrome://flags/#extensions-on-chrome-urls
I have:
"permissions": [
"http://*/*",
"https://*/*",
"chrome://*/*"
],
(also tried "*://*/_/chrome/newtab*")
still no luck ... what am I missing ?
this answer Can you access chrome:// pages from an extension? mentsions "wildcards are not accepted". Is this true ? and if so how to specify the newtab page ?
The problem is that Chrome 61 and newer explicitly forbids access to the contents of its built-in new tab page (NTP) via content scripts or any other API.
The solution is to create the entire replacement page as an html file in your extension and specify it in chrome_url_overrides.
As for why, here's quoting [source] rdevlin, one of the developers of chrome extensions API:
There's a few reasons for this change. One is to enforce policy,
the other is for consistency.
We've had a public policy for awhile now that states that modification of
the NTP through anything other than Chrome URL overrides isn't allowed (though
we didn't begin enforcing this policy in many cases until July 1st). This is
merely bringing chrome code more inline with that same policy to help prevent
surprise if an extension is modifying the NTP and is taken down for policy
violations.
This is also for consistency, since we've actually treated scripts on the NTP
differently for years now, due to certain NTP magic. For example, the URL seen
by the browser on the NTP is chrome://newtab, but the url in the renderer is
https://www.google.com/_/chrome/newtab. Since chrome.tabs.executeScript checks
the URL in the browser, the script would be denied, even though content scripts
(checked in the renderer) would be allowed. In theory, these permissions should
not be different. Similarly odd, if the user is using the local ntp
(chrome-search://local-ntp/local-ntp.html), injection would already be
disallowed in both the renderer and the browser. And, if we go waaaaay back,
the NTP used to be pure WebUI with an URL of chrome://newtab, where injections
were again disallowed. Rather than have inconsistent behavior depending on the
type of script injection the extension uses, we want to have consistency
throughout the system.
P.S. Please don't edit the quoted text.
I'm debugging a web application running in visual studio with some breakpoints on some code that runs on every request to my web application.
I find that in Chrome, as I type the URL past the host, it triggers a request for everything I type as I type it... As if Chrome prefetches the page to make it load faster or something.
While great for browsing the web, it's highly annoying when debugging code..
Anyone know of a way to disable, I've googled it a few different ways and what I can turn off I have, but it still makes requests as I type.
Under the privacy settings (Settings -> show advanced settings... -> Privacy) in Chrome (Version 46.0.2490.80 m) uncheck these two settings:
Use a prediction service to help complete searches and URLs typed in
the address bar or the app launcher search box
Prefetch resources to load pages more quickly
Under Settings -> Security and Privacy -> Cookies and other site data (or by typing chrome://settings/cookies?search=Security+and+Privacy into the address bar and hitting "Enter" key), uncheck the following:
Preload pages for faster browsing and searching
Preloads pages that Chrome thinks you might visit. To do this, Chrome may use cookies, if you allow cookies, and may encrypt and send pages through Google to hide your identity from sites.
Additionally (to disable the "prediction service"), under Settings -> You and Google -> Sync and Google services (or by typing chrome://settings/syncSetup?search=autocomplete into the address bar and hitting "Enter" key), uncheck the below (ref):
Autocomplete searches and URLs
Sends some cookies and searches from
the address bar and search box to your default search engine.