I'm trying to load an unpacked chrome extension. When I click the Load unpacked button nothing happens; much the same as this question. I am working within a system that has extension instalation control policies, particulary a ExtensionInstallBlacklist of * and a list of whitelisted extensions. No other policies seem to impact extensions.
It turns out that there's a js error in the console when I click the button:
Error handling response: Error: Extension installation is blocked by policy.
at chrome://extensions/crisper.js:215:2522
but looking at the js that this leads to doesn't give any clues about the name of the policy. I have searched the Chrome Enterprise policy list without any luck.
What is the policy that's blocking this?
ExtensionInstallBlacklist
A blacklist value of '*' means all extensions are blacklisted unless they are explicitly listed in the whitelist.
This includes unpacked extensions, otherwise the user could easily circumvent the enterprise policy.
Related
I published my extension on following link https://chrome.google.com/webstore/detail/poenibgdeeoelggbbbhdddojjjglhdjm/publish-accepted?authuser=0&hl=en.
When the extension runs the nativemessaging host and native messaging host sends a message it shows following error This extension may have been corrupted., and stops working.
The extension works fine in developer mode.
This extension may have been corrupted.
This is a message that Chrome shows if any of the files inside the extension folder change. When an extension is published, Web Store adds a Google-signed list of file hashes to the extension (in the _metadata folder), and any detected change is interpreted as a hijack attempt and leads to the extension being disabled.
You don't run into this in development mode, because Chrome does not consider file changes as abnormal (it is, after all, in active development).
If this is what your native component does (e.g. adds files to the extension or changes them), you can't use this technique. In particular, this does not allow you to change the extension's code externally.
Use other methods of storage of variable information in an extension, e.g. the storage API or IndexedDB, and other methods of communication, e.g. the native host communication protocol or a local webserver in the native component (but think about security if you're doing that).
I am creating a website that have a link to download my chrome CRX app to install it on chrome, the problem is whenever I try to download it it's give me an error that says: " Package is invalid: 'CRX_REQUESTED_PROOF_MISSING' ".
How can I fix this problem?
NOTE: my app is working when I install it using developer tools.
My manifest.json:
{"name":"MY_APP_NAME",
"version":"0.0.1",
"manifest_version":2,
"minimum_chrome_version":"37.0.0.0",
"permissions":["webview","power","storage","videoCapture","geolocation","pointerLock","system.display",{"fileSystem":["write","retainEntries","directory"]},"accessibilityFeatures.read","accessibilityFeatures.modify"],"app":{"background":{"scripts":["js/foam.js","js/cab.js","config.js","background_main.js"]}},
"default_locale":"en",
"icons":{"128":"img/128.png"}}
I'm also currently having this issue and trying to find workarounds for it. Unfortunately it seems that due to Chrome's security policy, plugins needs to go through their webstore in order to have the multiple levels of "proof" before chrome will accept it as a legit extension. So far it seems the only way to get it to work is to load it as an unpacked extension, go through the webstore, or force install it via group policy.
Links and refs:
https://developer.chrome.com/apps/external_extensions
https://support.google.com/chrome/a/answer/6306504?hl=en
https://github.com/oncletom/crx/issues/109
According to documentation, Chrome does not allow installing CRX from outside of their store, unless in developer mode or through enterprise policy: https://developer.chrome.com/extensions/hosting_changes, or on Linux (it's mentioned at the beginning of linux_hosting i linked in my previous comment).
So that may be a reason, because in their source, that "proof missing" error is returned only if either public key is missing, or "required key" is missing:
https://github.com/chromium/chromium/blob/c48c9b176af94f7ec65e20f21594524526d2a830/components/crx_file/crx_verifier.cc#L178
"required key" seems to be their predefined key:
https://github.com/chromium/chromium/blob/c48c9b176af94f7ec65e20f21594524526d2a830/components/crx_file/crx_verifier.cc#L134
and
https://github.com/chromium/chromium/blob/c48c9b176af94f7ec65e20f21594524526d2a830/components/crx_file/crx_verifier.cc#L42
I'm guessing that's the public part of Chrome Web Store key? There's no easy or even "practical" way to create signature that will match their key.
So, either it's the missing Chrome Web Signature key, or something is wrong with how we create signature using developer's key.
How can I distribute my extension if I cannot upload it to the Chrome Web Store for policy reasons?
These changes are effective only on Windows stable and beta channel. Users who want to get extensions that are not hosted on the Chrome Web Store can do so on Chrome dev/canary channels in Windows or on all Chrome channels in other operating systems.
What are the supported deployment options for extensions after this change?
Apart from users installing extensions from the Chrome Web Store, the following deployment options will be supported:
For OSX and Linux, extensions can be installed via a preferences JSON file.
For Windows, extensions can be installed via the Windows registry. In the Windows registry, ensure that the update_url registry key points to the following URL: https://clients2.google.com/service/update2/crx. Local .crx installs via the path registry key are deprecated. Note that this deployment option works only for Chrome Web Store hosted extensions, and update_url cannot point to any other host other than https://clients2.google.com/service/update2/crx.
For Enterprises, we’ll continue to support group policy to install extensions, irrespective of where the extensions are hosted. Note that the user's machine has to join a domain for GPO policy pushes to be effective.
I'm thinking of moving some of the permissions in an unpublished Chrome extension to being optional instead of required in the manifest, and wanted to test the user flow.
Calling chrome.permissions.request() in an unpacked extension seems to just succeed silently. The browser dialog that the user should see isn't displayed.
This Chrome developer page suggests you can test the normal user flow using a packaged .crx file:
If you'd like to see exactly which warnings your users will get, package your extension into a .crx file, and install it.
However, Chrome no longer seems to let you install an arbitrary .crx file outside of the Chrome Webstore. Dragging and dropping the file on the Extensions page lists it, but the Enabled checkbox is disabled. This SO comment indicates that testing permissions in this way is likely no longer possible, but I haven't seen any official documentation about it.
I was actually able to install and enable a non-Webstore .crx file by adding it to the extension whitelist in the Windows registry, using these instructions, but that extension didn't trigger the permission request dialogs either.
So my questions are:
Is there a way to test the permission request flow other than publishing an extension to the Chrome Webstore?
What's the best way to remove the optional permissions once you've accepted them, in order to test the flow again? Delete the extension? Call chrome.permissions.remove()?
Turns out I confused myself by requesting the "sessions" permission when the extension already had a required "tabs" permission. Apparently, requesting "sessions" when you already have "tabs" doesn't trigger the permissions dialog.
However, calling something like chrome.permissions.request({ permissions: ["bookmarks"] }) does, in fact, show the permissions dialog, even in an unpacked extension.
So the answers are:
There's no need to publish an extension to the Chrome Webstore. Just request an optional permission with your local unpacked extension to see the dialog.
It looks like the only way to trigger the permissions dialog again is to delete the extension completely and reinstall it. Calling chrome.permissions.remove() does remove it as far as the APIs go, but the permission is silently re-added if it's requested again.
I am developing an extension that uses chrome's Native messaging. After setting the key value in my extension (for native messaging) chrome goes bananas and deletes my files after closing chrome. Turning off sync extensions somehow keeps my files in tact, but it still removes the extension from itself every reboot. I can't figure out if this is some bizarre bug I've stumbled upon or this has to do with not being able to install non web-store extensions
Problem
As you can read on google forums (productforums.google.com), posted on 04.09.2015, new versions of Google Chrome will automatically disable extension that are have not been installed from Chrome Web Store. There is no option to change this behaviour.
Some extensions come bundled with others, which causes Chrome to ask
whether you want to install them (or not). However, bad actors have
abused this mechanism, bypassing the prompt to silently install
malicious extensions that can override browser settings and alter the
user experience in undesired ways.
...
Since these malicious extensions are not hosted on the Chrome Web
Store, it’s difficult to limit the damage they can cause. This is why
we announced in November that as part of our continuing security
efforts, all extensions for Windows users must be hosted in the
Chrome Web Store.
Solutions
1. Use a different browser. For example, Opera (version > 15) and SRWare Iron browsers extensions are 100% compatible and they don't get disabled on each browser startup. All the tools from Google Chrome are available in these browsers.
2. Pack the extension (idea taken from this url). Open the extension page, activate "Developer Mode"; Click "Load unpacked extension..."; Search trough your directory tree for the directory where you unpacked your extension and click OK; Disadvantages: Chrome nags you to disable the extension at each start up
If you are copy/pasting an installed extension that no longer exists, you can modify the manifest and remove:
the key
the update_url
Then load it again and it will work and assume you are developing it.
Here's the deal. We are trying to install some Chrome extensions (version 47+) via GPO. We're putting the ExtensionInstallForcelist under the user configuration, but it's not working. The registry entry shows up, so the GPO works, but Chrome doesn't seem to be reading it to perform the install.
There is a slight catch. We are running Websense Endpoint agent on our systems, which installs its own Chrome extension by adding a registry entry under the ExtensionInstallForcelist in HKLM.
When I look at the Chrome Policies, I see the ExtensionInstallForcelist enabled only for "Machine".
Does Chrome only accept one install list? Either HKLM or HKCU with HKLM being the preferred? At least that's the behavior that I'm seeing.
Any help or information would be appreciated. All of the information that I've found on Chrome Extensions and GPO only list the Machine policy and don't really cover the User policy.
Thank you.
We had the exact same issue as you, with the Websense Endpoint trumping any GPO User level ExtensionInstallForcelist settings we put in place for a custom Chrome Extension.
This was the party line I found from Chromium project regarding who wins in User vs Machine chrome policies:
"Correct. We do not merge policy values, we just use the value read from the highest-priority source."
(Taken from this person who had the same problem:
https://productforums.google.com/forum/#!msg/chrome/wygwLDak6ZQ/NKurhHpdCgAJ )
Observationally, the Machine level is apparently the higher priority source. As such, we moved all the Chrome extensions settings to the Computer Configuration level of the GPO instead, this worked and installed our custom extension and all settings, however, this in turn prevented the Websense Endpoint from making it's ExtensionInstallForcelist registry entries and stopped it loading correctly.
So we ended up adding the Websense Extension details to the machine level GPO ForceInstallList as well:
mkkjioebiampndpmidmadhpmgffdckhe;C:\Program Files\Websense\Websense Endpoint\dlpext.xml
This is obviously not the best approach, as we now need to manage/keep an eye the Websense endpoint deployments via GPO, but it got things working for the subset of machines we needed to install the Chrome extension on.