How do I access Private APIs in Chrome extension - google-chrome

I need to get the value of mac address and username and computer. I want to do this with networkingPrivate. But I can’t able to access it.
I wrote in the manifest.json file this:
"permissions": ["networkingPrivate"]

Generally you can't because they're private exactly for the purpose of being private, not public API. It's also whitelisted to specific extensions by Google or its trusted associates.
For your own personal use you may have success by running Chrome with a custom command line parameter --whitelisted-extension-id=abcd where abcd stands for the 32-character id of your extension as seen on chrome://extensions page when developer mode switch is enabled in the top right corner of the page. Or you can mimic a trusted extension's id by finding its manifest.json and copying its "key" to your own manifest.json.
For a public extension you'll have to use a workaround. For example, write a separate utility and invoke it via nativeMessaging API.

Related

Access Google API in Chrome Extension - do I need to set URLs in permissions in the manifest?

I'm writing a Chrome extension which calls some Google APIs. These use the Chrome Identity API, are declared in the oauth2 section of the manifest, and are called using the fetch API, and work fine. When I first wrote this extension, I used this post for guidance, and have declared https://docs.google.com/spreadsheets/ in the permissions section of the manifest. However, I'm wondering if this is in fact necessary - it gives a scary permissions warning - that the extension can change all data on docs.google.com - which is not in fact the case.
I tried removing the permission from the extension and it seems to work fine, but would like to know what the official/expected behaviour here is - are URL permissions in a chrome extension only for interacting with that page, or are they supposed to be for any web access the extension initiates?

Disable cookie checks against Public Suffix List in Chrome

We have a collection of apps, and we would like to test them before merging PR's using Heroku's Review Apps.
The login is stored in a cookie that is shared across these apps. Since herokuapp.com is listed under Public Suffix List, we can't use the heroku-provided domain for testing apps because cookies don't get shared on that domain.
Is there an easy way to disable the domain the check against the Public Suffix List in Chrome, or can we locally exclude/override herokuapp.com from the list?

Custom Extensions on Managed Chromebooks

I am a developer looking for the best way to set up different schools with their own custom, private extensions (ie School A should be the only one with access to Extension A). Theoretically, I am aware that there are a few ways to get a custom, private extension pushed out on a domain:
Host the .crx on a server and click "Specify a Custom App" in the management console.
Create a Domain App by uploading a zip to the Chrome Web Store
Upload the extension from my developer account to the Chrome Web Store and publish to a single "trusted tester," or make it unlisted
Option (1), hosting the .crx, has not been working. I am not sure why, but the extension is simply not pushing out. I link directly to the crx file, which has the right ID and MIME type, still, no dice. If anyone has any tips or suggestions for getting this to work, I would love to hear them!
Option (2), having the school create a domain app, seems a bit inefficient because it requires all schools to upload their own zip. So essentially I would have to email a zip file to the school, and have them publish it. All updates to the extension will also require a similar process, so this doesn't seem ideal.
I doubt that option (3) would work. If I published to the admin as a "trusted tester", I don't think that the other people in the domain would be able to access it. If it is unlisted, I do not know how an admin could find it in the Chrome Web Store dialog. Also, I would rather avoid security through obscurity.
Has anyone had success with hosting the extension and using the Specify a Custom App feature? Any other suggestions for getting a Custom Extension pushed out by the management console? Thanks so much!
To get option (1) working from the management console, it is important to specify the correct extension id and a valid update xml url (not a crx).
One useful feature Google offers that you can use is getting the extension id and the version from the update request.
For instance, you can create a update.php file that outputs an xml file specific to each extension and version. See http://developer.chrome.com/extensions/autoupdate.html under "Advanced Usage".
For more info on packaging an app or extension for managed chromebooks, see https://support.google.com/chrome/a/answer/2714278?hl=en.

Why is the google chromecast extension not injecting API on a whitelisted domain

I got a couple of domains whitelisted. Let's say they are a.mydomain.com and b.mydomain.com
I went to developer options in the chromecast extension and whitelisted mydomain.com and added data-cast-api-enabled=”true” to the html tag
At this point, I was expecting the extension to inject api_script.js (like the one that I am seeing on youtube and netflix)
What am I missing here?
There are two whitelisting procedures listed in the developer documentation.
The first is device whitelisting (under "Whitelisting your receiver device"). During this process you provide 1 or 2 target URLs to the Google Cast team, and they generate an application ID for you. Then when launching a session with the Cast API from a device (Android, iOS, or Chrome browser with extension installed) you provide the string "<applicationId>_<urlNumber>" and the receiver you select will then open the receiver page located at the URL associated with that string.
The second whitelisting (under "Whitelisting Chrome apps" at the link above) is specific to developing a sender app with the Chrome extension, and is configured within the browser. The Chrome extension will only inject the Cast API into specific sender pages currently, but allows developers to whitelist the domain their sender pages are on.
Be sure you are running Chrome version 28 or later.
If you haven't restarted Chrome in a while you may be running an older version; restarting will update Chrome automatically.
In the Chrome address field, enter chrome://extensions, and check the Developer mode checkbox to enable developer mode.
Install the Chrome extension for Google Cast.
On the Cast extension icon in the browser's upper right corner (next to the address field), right-click and select Options.
The Google Cast extension options page opens in a new tab.
On the blue Cast icon, in the page's upper left corner, click four (4) times.
The Developer Settings appear.
In the Cast SDK additional domains field, enter your application's domain, for example, "www.mydomain.com" and click Add.
Code your application's HTML tag as follows:
<html data-cast-api-enabled=”true”>
Reload the application's page.
I observed that the issue was a Javascript error on that page which prevented the injection of cast api by the extension. (Was missing jquery)
I have able to get the injected JS on all other pages

Geolocation without permission in manifest

Is it possible to use geolocation API in chrome extension without including the "geolocation" permission in manifest.json?
Like can we ask permission through the background.html file which runs the extension?
You can use it in a content script without declaring a permission.
This would trigger a standard notification bar asking if you want to allow current site (not your extension) to access geolocation. If user allows it, you can then pass received geolocation position to a background page for further processing.
This approach might work if your extension is injecting a content script to a single domain, otherwise user would have to allow geolocation for each domain they visit.
The code should look like:
navigator.geolocation.getCurrentPosition(function(position) {
console.log("Latitude : "+position.coords.latitude+":"+"Longitude : "+ position.coords.longitude);
});
Nope:
"An array of permissions that the extension or app might use. Each permission can be either one of a list of known strings (such as "geolocation") or a match pattern that gives access to one or more hosts. Permissions can help to limit damage if your extension or app is attacked."
http://code.google.com/chrome/extensions/manifest.html
...and here:
Your physical location "geolocation" permission Allows the extension to use the proposed HTML5 geolocation API without prompting the user for permission.
http://code.google.com/chrome/extensions/permission_warnings.html
Actually, after looking at it a bit more you can but the user will be prompted for permission:
http://www.html5rocks.com/en/tutorials/geolocation/trip_meter/
...and this page from Google says you can use this API and others:
http://code.google.com/chrome/extensions/api_other.html