While pruning the number of sites that are allowed to send notifications to me, I discovered one allowed notification rule that surprised me: *://www.goko.com/*:
(This is found at chrome://settings/content/notifications )
How can I find out which of my Google Chrome Extensions is enforcing that I allow notifications from goko.com (without brute-force disabling/uninstalling them until I discover that the permission is gone)?
Related
I have a Chrome extension that uses the Gmail REST API to send emails on behalf of the user. This API requires an Oauth2 token, which I'm retrieving using chrome.identity.getAuthToken.
The Problem
However, I am running into some issues with the Chrome Identity API. In particular, if the user authenticates with chrome.identity with a different Gmail account then the one they're signed into Chrome with, then they are prompted to re-login every hour or so (which doesn't happen if the accounts are the same). In addition, I'd like to minimize the number of permissions my extension asks for as a general principle (permissions sometimes introduce warning messages on install and risk disabling existing users on update), so I'd like to not have to ask for the "identity" permission if I can avoid it.
My Question
How can I authenticate the Gmail API in Chrome Extensions without using the Identity API?
Current Progress
I initially tried using Google's Javascript Client for auth, but that seems to be incompatible with Chrome extensions. After having searched other SO issues and some Google materials, it seems that the Identity API is indeed the recommended auth solution in Chrome Extensions. However, for the UX reasons mentioned above, I'm finding this solution problematic. And I do think an alternative should be possible -- for example, the MixMax Chrome extension, which uses the Gmail API, does not ask for the Identity permission.
Any help would be much appreciated! Thanks!
Hello,
I have web-app at Google cloud Platform at Kubernetes engine, using it/accessing it through Identity-Aware Proxy restricting it through Access Context Manager which Google cloud platform provides.
Trying to allow access through chrome browser only to user with a] restricted/limited number and type of chrome browser extensions, b] approved device and c] possibly specific G-Suite account.
Initial accomplishment of this goal is not hard:
c] you can set in Identity-Aware Proxy access role IAP-secured Web App User per user (identity)
b] you can can create access level in Access Context Manager which require approved device (which require endpoint verification extension installed)
a] you can limit extensions for G-suite user chrome profile in admin.console without any problem (or need of browser enrollment)
This would be example of easy to make solution of given problem, but here is problems, possible solution and finally where i'm in need of advice.
User can log in into custom chrome browser profile, avoid extension installment restriction (restrictions/policies are applied base on G-suite chrome profile) and then log into G-suite account on google.com and be granted access through Identity-Aware Proxy (access is given not based on profile of chrome but base on account you are logged in google.com)
Solution for this problem would be to enroll browser, policies wouldn't be given per G-suite profile in chrome but per browser. It brings another problem
User can un-enroll chrome browser at any-time
This is currently my death end, thinking only way out is if there would be in Access Context Manager check for chrome profile or chrome enrollment.
Possible Hints:
I was told to buy chrome enterprise licence and allow log in only on enrolled browsers https://support.google.com/chrome/a/answer/7572556 , just from article its not clear for me it would solve my problem
number of options in Access Context Manager is very poor, maybe missing some licence ?
create extension which would check browser profile and restrict access to the web-app by presence of this extension and G-suite profile in chrome
Thank you.
I was told to buy chrome enterprise licence and allow log in only on
enrolled browsers https://support.google.com/chrome/a/answer/7572556 ,
just from article its not clear for me it would solve my problem
If I'm understand correctly your biggest problem is that user can stop using Chrome and go with another browser. By using Chrome Enterprise you force your users to use Google Chrome to even login into their accounts on corporate managed devices
number of options in Access Context Manager is very poor, maybe
missing some licence ?
There aren't any license options for Access Context Manager, if you are looking for more settings in this feature I encourage you to open a Feature Request with Google
create extension which would check browser profile and restrict access
to the web-app by presence of this extension and G-suite profile in
chrome
This option will do the trick you can even force install Chrome extensions
For internal use in my department I wrote a Chrome extension. It works fine in developer mode and I delivered it to my colleagues by e-mail attaching the .crx-file. They opened chrome://extensions and drag-and-drop it there. The message
drop to install extension
appeared, Chrome installed the extension and it works like a charm.
Nevertheless, on the very first restart of Chrome, a message appears that Chrome deactivates an unsupported extension.
A link to the help page Extensions disabled by Chrome is added to the message, and states:
To protect you while you browse, Chrome only lets you use extensions that have been published on the Chrome Web Store.
While I understand the reason, is there any other way a user can explicitly tell Chrome an extension is safe? Some effort is acceptable as publishing the extension to the webstore is not.
I have no administrative access, so no changes to registry nor active directory are possible.
As noted, you need Active Directory level policies to whitelist / auto-install extensions. See Policy List.
Chrome will use many defense mechanisms to detect and fight other trickery. The stance is simple: anything an unprivileged user can do any other software can do to implant malware.
However, you should consider publishing in CWS.
This can be done unlisted; unless someone has the listing link, the extension won't be discoverable.
This approach will present a risk of a leak of the link, but with your current delivery mechanism crx can leak as well; in general, copy-protecting extensions is basically infeasible.
This can be done with enforced control over accounts; you can publish to a Google Group of "trusted testers", who will be the only ones to see the listing.
Won't work if you're not allowed to sign into your Google accounts in Chrome.
This can be published with enforcing access only to your domain's users - if you use GApps for your work.
All of the above might not work if your extension is somehow questionable by CWS policies; if you can't publish for this exact reason, and can't use AD policies, I'm afraid you're SOL.
There isn't a way without domain level management to make this work. You can't just have the user "say" it is safe, since the user "saying" something could very well be the attacker. Any mechanism put in place to get around this would simply be used by attackers and unthoughtful companies to add more junk into your browser.
I'm creating a Chrome extension that modifies the gmail UI.
But when I authenticate (with chrome.identity.getAuthToken) in the Chrome extension, it defaults to using the user account that is signed into Chrome.
But I need data for a gmail account when I am on that gmail page.
I saw this answer, but I was wondering if there was any easier way?
I just went through the same process and I couldn't find an easier way.
You'll need to authenticate yourself.
We tried using the mechanism in that link but it requires putting the Client Secret in the Extension - very ugly.
In the end we request and refresh tokens externally through a hosted web page from our www site.
Although a hassle to set up once in place it works nicely and is worth the effort.
I have seen other answers here, such as this.
But nowadays, you cannot simply drag an extension to the browser and expect it to work. Google does not allow you to activate it, showing a message "not downloaded from chrome store"
Now, I really don't want to publish anything. It's a personal extension for me and friends! How can I workaround this limitation?
You could publish to testers.
I know you said you didn't want to publish anything but it only shows up to google accounts you have listed at testers.
You really only have two options:
Distribute the crx and have them run in developer mode.
List the extension on the Chrome store.
It sounds like #1 is a problem for you (as it is for most). If you go with option #2, you can list the extension privately, so it isn't listed in the Chrome store.
For context, Google is not doing this to hold people back. Most of the browsers have tightened up these methods to prevent abuse. From Google's perspective, they cannnot differentiate between your friendly use case, and a hacker using an extension to place malware. If it's published through the store, they can scan for malware.