I'm using Chrome policy settings to restrict access in a user's browser. Among the policies in place are policies that should prevent deleting history, and also prevent using incognito mode. On Windows machine, these policies are set like this, if in a .reg file:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome]
"IncognitoModeAvailability"=dword:00000001
"AllowDeletingBrowserHistory"=dword:00000000
When tested on a machine that has these policies, it does indeed appear that the users of the machine are unable to use incognito mode, nor delete browser history. But inspecting the browser history shows large gaps of time without any activity, which is contrast to other logging I have in place. The user's login does not have have administrative rights (they login as a standard user), so they shouldn't be able to alter the group policy settings. And indeed when I inspect the machine after the fact, the policies do appear to be active. My question is, is there any way to bypass these groups policy settings such that either incognito mode may be used, or else browser history is deleted? Without administrative privileges (so that policies can be changed), I can't imagine how it would be done, but I'm convinced it is.
Related
Looking for the best way to lock chrome browser tweaking per user on shared lab computers so each user gets a consistent experience on login. Currently some users will pollute the chrome experience requiring the IT team to do some housekeeping. I would like to remove all user changes if possible, so each experience is fresh clean browser.
Tried: GPO in place to block the settings url changes and clear history on exit but customize is still available. Reached out with no luck, seems like support is firewalled at google and out of reach.
When we add chrome extensions in the browser (eg. for dark mode or blocking ads) it asks for few permissions. Specific example, I am concerned with is about DARK READER extension.
Link : https://chrome.google.com/webstore/detail/dark-reader/eimadpbcbfnmbkopoojfekhnkhdbieeh?hl=en-US
Now this kind of extension asks for permission as follows:
I want to know if I give this permission, can this extension read passwords which I type?
What security threats does it pose and how to safeguard myself from them?
I have read that I should use incognito mode. Please someone elaborate.
If I am signed in on a window on incognito, how is it different from being signed in from a regular chrome tab?
Does everything you view stay? For example, I looked up about facts about President Trump, but will my admin be able to wee I searched that even if I am not on the same network?
The only difference is that the chrome will not save some information about your activity like it does in normal mode.
In Incognito mode it won't save your history, download history, bookmarks, passwords and autofillsand it will delete all cookies after the end of the incognito session.
It is all only about the Chrome storing the information. Other sources will be normally able to see the web trafic - that means your internet provider, your employer, etc...
If your admin watches only the browser history, you are safe. But there are A LOT OF other and better means to monitor the web trafic on a specific network. If you were on a network your admin cannot monitor - you are safe too.
I was wondering if there would be a way to sync settings between the chrome extension on the same user accounts on different computers to only allow one use of the extension at a time.
For example: If someone logged into their chrome store account, downloaded a program on one computer, and then downloaded the same program on the same account on the other computer, would there be a way to only allow use on one of the programs?
Thanks a lot!
PS The app is already on the chrome webstore.
This sounds like some sort of DRM use case. Setting aside the discussion of whether this is wise, there are a couple approaches:
Set an "in use" flag and save it in chrome.storage.sync. If it's already set, then tell the user he's out of luck (or better, force-close the other instance, which will still disappoint the user, but at least he gets to use your product). Hope that no spurious issues occur (such as the user closing the lid of the notebook) that leaves the flag erroneously set on the idle machine.
Same idea, but force the user to sign into your own web service. Disallow multiple active sessions.
In either of these cases, you could change the flag to be a timestamp, where the active session periodically renews itself, and you can automatically release a session that's inactive for an hour or so. Then in the lid-closing case, at least the user won't be stranded indefinitely.
I need to capture image from web page without security warning.
Page where i need webcam functionality can not be switched to https protocol.
I've installed root certificates and made them trusted.
I tried to insert iframe (which pointed to secure protocol https://mysecurepage.com) inside page (http://mypage.com), but not worked.
#bjelli is correct - this is a major security flaw for any internet content. Just imagine if you could go to a website which would start taking photos/recording everything going on without any permissions or notifications!
However, I am working on an intranet project where disabling the prompt would be quite safe.
If you are in this sort of position - there is one thing you can do;
Google Chrome Policies
If you are deploying the browser, you can override the security prompt for sites you specify. I don't know if you are working in such an environment, but this is the only way you can avoid the prompt all together. Similar things probably would apply for other browsers too.
As defined in http://www.w3.org/TR/mediacapture-streams/
When the getUserMedia() method is called, the user agent MUST run the following
steps:
[9 steps omitted]
Prompt the user in a user agent specific manner for permission to provide the
entry script's origin with a MediaStream object representing a media stream.
[...]
If the user grants permission to use local recording devices, user agents are
encouraged to include a prominent indicator that the devices are "hot" (i.e. an
"on-air" or "recording" indicator).
If the user denies permission, jump to the step labeled failure below. If the
user never responds, this algorithm stalls on this step.
If a browser does not behave as described here it is a serious security problem. If you find a way of making a browser skip the "permission" you have found a security problem.
What do you do if you find a security problem?
Report it IMMEDIATELY! Wikipedia: Vulnerability Disclosure
Firefox: http://www.mozilla.org/security/#For_Developers
Internet Explorer: http://technet.microsoft.com/en-us/security/ff852094.aspx
Safari: https://ssl.apple.com/support/security/
Chrome: http://www.google.com/about/appsecurity/
Opera: http://www.opera.com/security/policy
This is not just a question of technical possibilities, it's also a question of
professional ethics: what kind of job would I not take on? should I be
loyal to my customer or should I think of the welfare of the public? when do I
just follow orders, when do I stop bad stuff from happening, when do I blow the whistle?
Here are some starting points for computing professionals to think about the ethics of their work:
http://www.acm.org/about/se-code
http://www.acm.org/about/code-of-ethics
http://www.ieee.org/about/corporate/governance/p7-8.html
http://www.gi.de/?id=120