I have to write a google chrome extension/plugin that has to send out events to a win32 service when certain websites are accessed.
1. Is Pepper API/Native Client the right approach to do this?
2. If I can use Pepper API, is it possible to access the Win32 named pipes to send information to the win32 process? If not, is there an alternate approach available to achieve this goal?
Pepper is by the very definition a sandbox, and supposed to be cross-platform. Without knowing anything about it, I would guess that the answer is "no".
Native Client is a sandbox for running compiled C and C++ code in the browser efficiently and securely, independent of the user’s operating system.
From within an extension, the right approach would be Native Messaging.
The idea is to have a native application ("host") that Chrome can invoke on demand and communicate with. It can serve as a proxy for your calls.
For more information, look around the linked documentation and chrome-native-messaging here on SO.
Related
I would like to build a Chrome multimedia extension.
I would like this extension to communicate with another process (using a "memory-mapped file" (https://msdn.microsoft.com/en-us/library/ms810613.aspx). Is it possible?
From the NaCl FAQ:
If I want direct access to the OS, should I use Native Client?
No—Native Client does not provide direct access to the OS or devices,
or otherwise bypass the JavaScript security model. For more
information, see later sections of this FAQ.
If it is not possible to use memory-mapped files in NaCl's sandbox, is there any other way to build such plugin?
My extension would be used only by me, so I can accept security flaws.
Short answer: No. The sandbox is designed to prevent that kind of thing. The only way to use APIs other than the Pepper APIs (or of course those available in JavaScript) would be to install a native app in the OS, and communicate with it from a web app or extension using Native Messaging:
https://developer.chrome.com/extensions/nativeMessaging (that might be a good solution for you since it sounds like communicating with another process is what you want to do anyway).
I have created a Flex Desktop Application with Adobe Air.
I need to protect the application from being captured. By changing the window display affinity of the application, the application can be protected from being captured.
How to use win API in flex?
Is there any other way to protect the window from being captured?
First you have to make sure that the main window does not have the WS_EX_LAYERED Windows style. That style makes SetWindowDisplayAffinity fails with code 8 (ERROR_NOT_ENOUGH_MEMORY), at least on my machine (Seven Pro 64 bits). In your -app.xml file, set the value to false for the node <transparent> under <initialWindow>.
Second, you have to choose how to inject a regular C DLL in the application process, as the API will fail with error 5 (ERROR_ACCESS_DENIED) if you try to change the affinity of a window not living in the caller process.
One possible injection method is using the SetWindowsHookEx API. Google will give you many hits about that one. Feel free to ask for some details. You obviously needs cooperation of another process, here (and some Win32 APIs practice).
Another possible way is coding an 'ACTIONSCRIPT® Extensions for ADOBE® AIR®' (PDF).
The later seems preferable:
No collaboration from an external process needed.
Adobe AIR does the DLL loading for you.
C/C++ code much more simple.
I used the first technique, as I am more fluent in raw Win32 APIs about DLL, than I am with AIR and Action Script...
I successfully tested that first technique with a very simple "Hello World" AIR Desktop application, and get a nice "All Black" image after Print Screen.
First of all, I haven't started the implementation of the system I'm about to describe, as I didn't want to commit on implementing something I did not know if was possible.
So, what I'm trying to achieve is to build a chrome-app to download the audio from certain websites (e.g. youtube and soundcloud) using youtube-dl, post process it using ffmpeg and then upload it to a cloud service via some api. The reason I want to do it via a chrome-app is because I could do all the work on the client side (no need for servers) and I'd have the ability to insert javascript into the pages using content scripts, which would make the app pretty simple to use (I could create buttons such as 'download song' and stuff like that).
Although I have already read the documentation explaining the NaCl Technical Overview and some of the Application Structure, I still am not sure as to whether I would be able to make these calls via some C/C++ module or if I would get denied due to security reasons.
To summarize: considering that the user has the needed dependencies in his system (youtube-dl, python, ffmpeg and etc.), is it possible to make calls to third party APIs such as the ones described before via a chrome-app using NaCl ?
Thank you all in advance,
Chrome apps are normally sandboxed.
Less so than extensions - they can reach much more system resources via app APIs.
But still, what you mention is executing libraries / utilities out of browser, and it's not normally allowed.
(P)NaCl is tightly sandboxed in this regard. See this old question, it still applies: you can only use 3rd-party code that compiles into NaCl along with your app, not just link to a library. There are some library ports to NaCl, but it's not automatic.
Normally, a few years back you would use a mechanism like NPAPI to reach out and use a library out of browser. It's deprecated, and won't work anymore. In its place, Chrome offers a pipe-like (through stdio) connection to an external program called Native Messaging. You could use it to perform operations with system-level libraries and tools, but the downside is that you can't bundle the native host with your app, you'll need a separate installer.
I'm writing a small chrome extension for personal use and I would like to run an executable via the context menu and pass certain information as arguments to said executable.
What the simplest and/or cleanest way to achieve this? To me it seems that it is impossible due to chrome's sandboxing.
This can be accomplished via NPAPI Plugins.
Code running in an NPAPI plugin has the full permissions of the
current user and is not sandboxed or shielded from malicious input by
Google Chrome in any way. You should be especially cautious when
processing input from untrusted sources, such as when working with
content scripts or XMLHttpRequest.
However, I should also include their warning.
Warning
NPAPI is being phased out. Consider using alternatives.
NPAPI is a really big hammer that should only be used when no other
approach will work.
via Start an external application from a Google Chrome Extension?
Alternatives to NPAPI
There are several alternatives to NPAPI. In cases where standard web
technologies are not yet sufficient, developers and administrators can
use NaCl, Apps, Native Messaging API, and Legacy Browser Support to
transition from NPAPI. Moving forward, our goal is to evolve the
standards-based web platform to cover the use cases once served by
NPAPI.
via http://blog.chromium.org/2013/09/saying-goodbye-to-our-old-friend-npapi.html
Another way, suggested here, is with Java.
Java applets: http://docs.oracle.com/javase/tutorial/deployment/applet/
Implementing Policy: http://docs.oracle.com/javase/tutorial/security/userperm/policy.html
Use sendNativeMessage:
There is chrome.runtime.sendNativeMessage which can be used to send a
message to a native application and chrome.runtime.connectNative which
allows for a more persistent connection.
So, you can't directly execute a command, but you can have a native
app do it for you.
You can find more info on Native Messaging in the docs.
via https://stackoverflow.com/a/19917672/1085891
My intention is to create a chrome plugin for the windows users. Is that possible to call windows api from Native Client /PPAPI. If possible how?
I am answering my question, as after some study, I found the answer from West a bit not right. I tried calling windows APIs in Pepper(PPAPI) Plugin and it works fine with a command line switch "--register-pepper-plugins" (not the --no-sandbox as specified by West). It seems safer to use this command line attribute as it is only registering a plugin in to the Chrome browser and not removing any sandbox. I thought of adding an answer after finding an actual pepper plugin existing in use, which uses the switch (the NetFlix pepper plugin for chromeos ).
Got more information to add. Chrome API is available which provides the multi-monitor information : chrome.systemInfo.display object provides all the necessary information. The chrome documentation is not updated. Important thing to note is that, the permission "systemInfo.display" is to be added in the manifest to use this object. Two bugs are reported in the functionality of this object.
1. The monitor name is same for all monitors "Generic PnP Monitor", the documentation claims to provide the user friendly name of monitors.
2. There is an event which should get invoked on resolution change of monitors, but the event is never getting invoked.
Currently the implementation is only for Windows OS. Support for other OS are on the way. Documentation says that the API is only available for Chrome App, but I haves tested that and the API is available on Chrome Extensions as well.
Unfortunately, the short answer is 'no'. Native Client is designed to be OS-independent and as safe as JavaScript. Think of Native Client as native code that has the same capabilities and restrictions as JavaScript. A Native Client module that made Windows API calls would break both of those design principles: it wouldn't run on, e.g., a Mac, and it would be a major security risk (imagine browsing to a web page that decides to erase files from your harddrive).
Since you mention Chrome, it may be interesting to you to know that web apps - whether they use JavaScript or Native Client - can request additional permissions as packaged apps in Chrome Web Store. However, native OS calls are still not possible for the reasons listed above.
NPAPI plugins do not have these restrictions, but the future of NPAPI, at least in Chrome, is uncertain (see the last paragraph of http://blog.chromium.org/2012/07/npapi-plug-ins-in-windows-8-metro-mode.html).
For development purposes, it is possible to turn Chrome's outer sandbox off with the command-line flag --no-sandbox and then run PPAPI plugins that make direct OS calls. This is meant for developers and is not a suitable option to be used by end-users.
If you could say a bit more about what you're trying to achieve, there may be ways to do this with Native Client/Pepper.