Is it possible to listen to the host OS clipboard from a Chrome extension for each "insert" event (STRG+C or from context menu), to inspect the copied content?
Background: If a value from another application is copied into the clipboard, I want to check that copied value against certain regular expressions to identify a specific website the value might associated with, so I can immediately open a new tab with the website this value belongs too.
Is this only possible through an additional application running on the host, that is listening and sending data to the Chrome extension by native messaging?
Related
If I inspect an <input type="password"/> from my Tampermonkey script and observe changes using a change handler for a password field that is filled by the Password Manager feature of Chrome, the value remains empty until I physically perform a real click in the page. I have tried in my script clicking in the page, but Chrome knows it’s not a real click. When I physically click in the page, the change event suddenly fires, the password field gets a value, and then my script reacts properly (due to having the change event). But I wrote this script to avoid having to interact with the page in the first place, so this defeats the point of my script.
Is there a way to get TamperMonkey to mark the page as having had the user interact with it (e.g., some hypothetical GM_setUserTouched() or GM_autoFillPasswords() API) so that the Password Manager feature actually fills the <input type="password"/> in without requiring me to click in the page?
Background
In Chrome, this behavior is documented in #352527 comment 15 where it is unexpected behavior to the reporter and #398805 where there is a case that Chrome fails to implement the behavior I don’t want. It is considered a feature that when autofill and Chrome’s built-in Password Manager fill out a form, password characters are displayed to the user in the password field, but the DOM HTMLInputElement.value is set to "". When the user interacts with the page, such as by clicking in it or pressing a key, Chrome modifies HTMLInputElement.value to contain the password and a change event is fired at the element. The cited reason for doing this is “security reasons” (e.g., if a website script was reading from the password element, it only would have a chance to do so if the user was looking at the page… so popunders or non-visible frames wouldn’t be able to do it or something? I’m not sure what this protects you from: once the user interacts with the page, all of the scripts would have access to the password anyway. And if bad scripts are being served from the same origin as the <input type="password"/>, the website itself has a security flaw, not Chrome…).
Greasemonkey historically has helper APIs and a #grant system to enable the userscript to work around issues like this. Edit: when creating the repro (below), I discovered that Firefox makes the autofill password available to the DOM without waiting for the user to interact with the window. Thus, Greasemonkey doesn’t need a GM_forceAutofill() API because Firefox doesn’t exhibit this Chrome quirk. As a result, Tampermonkey doesn’t have such an API.
Repro
Because people do not believe me when I describe the behavior exhibited by Chrome, I have prepared a repro. It takes some work to get Chrome into a state where it doesn’t think the user has interacted with the page yet, but you should be able to see what I see using these steps:
Open Chrome. I am using Chrome 61.0.3163.91 64-bit on Windows 10.
Navigate to https://fiddle.jshell.net/xqfynp3e/22/show/light/
Enter some bogus username and password and hit enter or click the button. Chrome should prompt you to save the password.
Save the password.
Open Developer tools.
Enter this into Console (to navigate to the page without accidentally interacting with it): window.location.href = 'https://fiddle.jshell.net/xqfynp3e/22/show/light/?1'
Run document.querySelector('input[type=password]').value in Console.
Observe that the form’s password appears to be filled in visually and yet reading the DOM element in Console yields "".
Click in the document.
Run document.querySelector('input[type=password]').value in Console again.
Observe that the form’s password hasn’t changed appearance and yet reading the DOM element in Console yields the bogus password you saved.
My question, restated: how can I get Tampermonkey to perform the “Click in the document” step? How do I tell Chrome’s password auto-filler that I interacted with the page without actually physically interacting with the page?
EDIT: I have found an alternative way to securely store passwords in Chrome and access them via userscripts by using the Credentials Web API’s silent mediation support: https://imgur.com/a/ts2W1
You cannot do this using Google's built-in password storage because, as you stated yourself, Chrome requires user interaction to enable such passwords -- as a security feature.
Specifically, Chrome requires an event with the isTrusted property set to true. Tampermonkey cannot work around this because even Chrome extensions are not able to set the isTrusted property.
See also, this related feature request from 2015.
One solution is to use a password manager that fills these fields without using Google's built-in storage.
There are many available, with varying degrees of cross-device, and cross-browser, support.
Or you can write your own Tampermonkey script to fill in these fields, irregardless of what Chrome has stored.
If you do write a Tampermonkey script, I recommend that you use a secure storage framework, don't hardcode login info into the script.
We use a number of update reports that reference phone call activities amongst other data. One field that is shown in the report is the subject line of the Phone Call which automatically creates a hyper link to the Phone Call being referenced.
When the report is run using the web interface, regardless of browser, the link opens the Phone Call without an issue. However when opened from the Outlook plugin a new browser window is opened and the user is required to log in, which can make working through a report tedious.
I am aware that one solution would be to always run reports from a browser, or leaving the new browser window opened by Outlook open, as any subsequent links are opened in the same browser which is already "logged in". However, is there a way to remove the requirement for the first log in entirely? Could the link created in the Report have to log in credentials embedded so to speak?
I got a couple of domains whitelisted. Let's say they are a.mydomain.com and b.mydomain.com
I went to developer options in the chromecast extension and whitelisted mydomain.com and added data-cast-api-enabled=”true” to the html tag
At this point, I was expecting the extension to inject api_script.js (like the one that I am seeing on youtube and netflix)
What am I missing here?
There are two whitelisting procedures listed in the developer documentation.
The first is device whitelisting (under "Whitelisting your receiver device"). During this process you provide 1 or 2 target URLs to the Google Cast team, and they generate an application ID for you. Then when launching a session with the Cast API from a device (Android, iOS, or Chrome browser with extension installed) you provide the string "<applicationId>_<urlNumber>" and the receiver you select will then open the receiver page located at the URL associated with that string.
The second whitelisting (under "Whitelisting Chrome apps" at the link above) is specific to developing a sender app with the Chrome extension, and is configured within the browser. The Chrome extension will only inject the Cast API into specific sender pages currently, but allows developers to whitelist the domain their sender pages are on.
Be sure you are running Chrome version 28 or later.
If you haven't restarted Chrome in a while you may be running an older version; restarting will update Chrome automatically.
In the Chrome address field, enter chrome://extensions, and check the Developer mode checkbox to enable developer mode.
Install the Chrome extension for Google Cast.
On the Cast extension icon in the browser's upper right corner (next to the address field), right-click and select Options.
The Google Cast extension options page opens in a new tab.
On the blue Cast icon, in the page's upper left corner, click four (4) times.
The Developer Settings appear.
In the Cast SDK additional domains field, enter your application's domain, for example, "www.mydomain.com" and click Add.
Code your application's HTML tag as follows:
<html data-cast-api-enabled=”true”>
Reload the application's page.
I observed that the issue was a Javascript error on that page which prevented the injection of cast api by the extension. (Was missing jquery)
I have able to get the injected JS on all other pages
I have several accounts for a website and currently I want to write an extension that I can open all the accounts simultaneously in chrome, each tab for one account.
So that means I want each tab with a separate cookie system, is it doable? If so please suggest the API I should use, thanks!
Go to Chrome Preferences. There is a Users section where you can add users. Each new user will have its own cookie jar, so you can log in to a site as many different users at once. It makes new chrome windows, but it seems you cannot drag a tab onto a window of another user.
According to Chrome documentation, you can modify HTTP headers (including cookies) in the onBeforeSendHeaders event handler. So, you need to store new cookies for every account by means of the onHeadersReceived event handler, and then substitute them for every tab in outgoing requests.
There even exists an extension which seems doing almost the thing you want - Chrome Cookie Switcher.
Also I have found an answer that may be helpful for your task: Associate a custom user agent to a specific Google Chrome page/tab.
I really don't think Chrome allows extensions to do this. If I recall correctly, extensions can inspect and block requests, but they can't modify them, such as changing cookies on the fly for each tab.
I suggest you use the --user-data-dir command-line option of Chrome. It allows you to keep several separate profiles, each in its own directory, and then you only need to start chrome with the proper option:
# run this command to use the first profile
google-chrome --user-data-dir=/home/binchen/my_chrome_profiles/my_profile_1
# run this command to use the second profile
google-chrome --user-data-dir=/home/binchen/my_chrome_profiles/my_profile_2
...
Each profile will be in its own Chrome window, with its own cookie store, instead of its own tab, but it's easier than writing an extension.
Lastly, if the website you're mentioning is Google, you can keep several Google accounts open at the same time.
We need to publish a web browser (preferrably Chrome) via Citrix/XenApp. Security constraints required by our customer prevents direct browser access from the outside. To avoid opening up other security risks we want to prevent the user from doing anything else but interacting with our hosted application.
I've been experimenting with Chrome shortcuts (using the --app command line option) and Chrome extensions (which I then start with the --app-id command line option). Basically these work and look very good but I have two problems:
The keyboard shortcuts are not disabled which means that the user can do things s/he should not.
We need to open up more than one tab in our application. When using "--app" or "--app-id" new tabs are opened in a new browser window which is not constrained at all.
Is there a way to lock down Chrome to only allow interracting with a specific host address while still allowing more than one tab? I know that extensions do that but since new tabs are opened in new browser windows and the keyboard shortcuts are still enabled the user can easily do too much.