Load remote JS script in Content script for Chrome extension - google-chrome

I have a chrome extension. I have a lot of code in the content script.
Nowadays Google takes a lot of time to publish the extension. About 10-15 days due to covid etc.
I have the same extension on Firefox too where I load all remote code through script injection.
How can I do the same with the Chrome extension? When I try to load the remote script it gives me the following error.
This document requires 'TrustedScript' assignment.
I think Chrome became stricter with the release of version 83.
Also as per ChromeStore support, a wrapper that loads the code remotely is the way to go. But I can't find suitable documentation or a sample code. Questions found on Stackoverflow are about 4-5 years old at minimum.
Also, some of the guys are of opinion that the Chrome store will reject the extension if we inject remote script. But following image belongs to the submission extension UI of Chrome Developer Dashboard.
And you can clearly see that I is saying that does your app requires remote code.
Any help is highly appreciated.

Related

Are browsers accept plugins today or just extension?

I don't want to create extension because they are limited.
I would like my code to execute on any page from the browser.
I have read that creating plugin is deprecated for security reason (NPAPI).
There is Emscripten that looks like executed only on server.
Is there a way to code and execute program from the computer to access and modify browser page content?
You can look TamperMonkey extension. That extension provide user made scripts and run.
Chome Web Store Tampermonkey

How to prevent Google Chrome from blocking my installer package

I've prepared and published on my website an installer package with the software I developed. The package is compiled and bundled into .exe file using WiX toolset and contains no viruses or malware. Next when I try to download the file I get a notification from Chrome that it's blocked due to malicious content.
Malicious content warning
I'm really upset that my customers being misinformed with such warning. Any ideas how to get around it?
Google created this page for developers - https://support.google.com/webmasters/answer/3258249.
Even though it doesn't say it on there, almost all auto-detection software will not block software that is digitally signed (and there is no bad reputation associated with the signing certificate).
If it's a simple file, just upload it to Google Drive or DropBox, and generate a public link for it and then share it on your website.
You can also shorten that link, if your application provide this service, or via goo.gl, in order to view clicks' count.
If any developer come across this issue, I manage to resolve it by streaming the downloadable file instead, via different URL (which doesn't have the file name and its extension with file's full path on your hosting).
Doing so by manipulating the response header, will fix the issue.
Here is a useful link about streaming a downloadable via php script

Cloud Storage Download Appears to Be Malicious

I uploaded a utility in the last few days to google cloud storage.
It's a zip file containing two executables and a readme file.
I tested the download and it worked fine. I then looked into how I could see the download stats and yesterday I enabled logging.
I posted the link to a mailing list this afternoon and clicked it to verify that I had the right link and the download in chrome reports "xxx.zip appears to be malicious".
This did not happen prior to when I enabled logging, but I don't know for sure that is what caused it.
I am using a CNAME alias for the download, and I am a paying google apps customer.
The executables are not malicious in any way. They are simple utilities for doing replacements in text files. They do not access the network at all.
My question is "Why is my zip file being reported as malicious?" and is there any way to remedy this situation?
I looked around for a solution to this problem and I found the following advice:
1) Sign your EXEs. As it turns out, this advice is incorrect. While it has worked for some people, there are people who report that even signed executables are reported as malicious downloads.
2) Use SSL. SSL access is not available for google cloud storage unless you use the commondatastorage.googleapis.com or sandbox.google.com URLs. While this does might work, it doesn't resolve my problem.
3) Use the commondatastorage.googleapis.com URL. This works. The same file using the commondatastorage.googleapis.com url rather than my custom CNAME record does not report that it "appears malicious".
4) Register your site with Google Webmaster Tools. Getting around Chrome's Malicious File Warning According to this stackoverflow entry, the solution is to sign up for Google Webmaster Tools and add your site.
I have tried this one, but it has not made a change just yet. Because this is google cloud storage and not a main site, I added an index.html page, a 404 page, and ran the gsutil commands to enable web configuration within google cloud storage. I added the site to Webmaster Tools and additionally added it to Google Analytics.
I'll give solution 4 a few days to see if it pans out.
It seems like this is more of an issue with Google Chrome and not necessarily Google Cloud Storage. Chrome's methods for identifying malicious files are less than desirable right now.

Automatize HAR files generation from Google Chrome

Basically what I need is a way to automatize the result of the following operations:
open a new tab;
open the Network tab in the developer tools;
load an URL;
select "Save All as HAR".
Often, proposed solutions involves the use of PhantomJS, browsermob-proxy, or pcap2har; those won't fit my case since I need to work with SPDY traffic.
I tried to dive into the Google Chrome Extensions API and indeed I managed to automatize some tasks, but still no luck for what concerns the HAR files generation. Now this method is particularly promising but I still can't figure out how would I use it.
In other words, I need something like this experiment from the Google guys. Note the following:
We used Chrome's remote debugging interface with a custom client that starts up the browser on the phone, clears its cache and other state, initiates a web page load, and receives the Chrome developer tools messages to determine the page load times and other performance metrics.
Any ideas?
Solution
For the curious, I ended up with a Node.js module that automates such kind of tests: chrome-har-capturer. This also gave me the opportunity to dig deeper into the Remote Debugging Protocol and to write a lower-level Node.js interface for general-purpose Chrome automation: chrome-remote-interface.
The short answer is, there is no way to get at the data you are after directly. The getHAR method is only applicable to extensions meant to extend DevTools itself. The good news is, you can construct the HAR file yourself without too much trouble - this is exactly what phantom.js does.
Start Chrome with remote debugging
Connect to Chrome on the debugging port with a websocket connection
Enable "Network" debugging, you can also clear cache, etc - see Network API.
Tell the browser to navigate to the page you want to capture, and Chrome will stream all the request meta-data back to you.
Massage the network data into HAR format, ala phantom.js
...
Profit.
For a head start, I have a post that with sample Ruby code that should you get started with steps 1-4: http://www.igvita.com/2012/04/09/driving-google-chrome-via-websocket-api/
By now there's a browser plugin to do that: https://github.com/devtools-html/har-export-trigger
It uses the WebExtensions DevTools API and I got it to work with both Firefox and Chrome.
See my code for Chrome here: https://github.com/theri/web-measurement-tools/blob/master/load/load_url_using_chrome.py#L175
Automatically installing the plugin in Chrome is a bit more complicated than in Firefox, but feasible - I extracted the plugin archive locally and then link to it in chrome_prefs.json (see same repository).
Not sure if it helps, HAR Recorder uses chrome debug protocol to record HAR and generate a har file (without opening devtools). If you want a variation, you can fork and make changes on it.

Chrome Extensions accessing header information

I am on a mission to expand my knowledge and create an extension for chrome similar to how firephp works. I want to integrate with my existing logging and debugging api within my framework and I want to be able to send these messages to the console. Nothing really robust to start with just a way to send debug messages to the chrome console from php.
The plan is to send the messages via the headers and have the extension read those headers and interpret them. I've been trying to find information on accessing the response headers and can't find any examples. Some of the research has led me to possibly having to develop an NPAPI plugin to be able to accomplish this.
Before traveling down a dead end path I wanted to get the communities opinion here on which path I should be taking to find a solution.
Chrome cannot currently do this, but Google is working on it. A preliminary and incomplete implementation is in the development version of Chrome, or in Chrome Canary.
http://code.google.com/chrome/extensions/experimental.webRequest.html
onHeadersReceived
http://dev.chromium.org/developers/design-documents/extensions/notifications-of-web-request-and-navigation
You can track progress here.
http://crbug.com/50943
The web request api is now in stable and can be used to access header events.
https://developer.chrome.com/extensions/webRequest.html
Here is an extension that does what you are trying to do. It uses cookies to communicate, from what I can tell.