I would like to make a google chrome app (packaged) that can XSS. I have tried adding permission patterns and explicit URLs, tabs, and content_script matching rules to the app manifest. None work. I don't want a 'hack' to allow XSS, as google could fix that.
EDIT: Yes, this is for a legitimate app. I'm making a remote control tool for devices with IPs that are mutually trusted. I'm coming from a desktop programming background to make a web version of a certain product. I'm wondering if a chrome app has permissions like a desktop app would, which can be approved on install, and then allow the app to do what's covered in those permissions.
Related
For internal use in my department I wrote a Chrome extension. It works fine in developer mode and I delivered it to my colleagues by e-mail attaching the .crx-file. They opened chrome://extensions and drag-and-drop it there. The message
drop to install extension
appeared, Chrome installed the extension and it works like a charm.
Nevertheless, on the very first restart of Chrome, a message appears that Chrome deactivates an unsupported extension.
A link to the help page Extensions disabled by Chrome is added to the message, and states:
To protect you while you browse, Chrome only lets you use extensions that have been published on the Chrome Web Store.
While I understand the reason, is there any other way a user can explicitly tell Chrome an extension is safe? Some effort is acceptable as publishing the extension to the webstore is not.
I have no administrative access, so no changes to registry nor active directory are possible.
As noted, you need Active Directory level policies to whitelist / auto-install extensions. See Policy List.
Chrome will use many defense mechanisms to detect and fight other trickery. The stance is simple: anything an unprivileged user can do any other software can do to implant malware.
However, you should consider publishing in CWS.
This can be done unlisted; unless someone has the listing link, the extension won't be discoverable.
This approach will present a risk of a leak of the link, but with your current delivery mechanism crx can leak as well; in general, copy-protecting extensions is basically infeasible.
This can be done with enforced control over accounts; you can publish to a Google Group of "trusted testers", who will be the only ones to see the listing.
Won't work if you're not allowed to sign into your Google accounts in Chrome.
This can be published with enforcing access only to your domain's users - if you use GApps for your work.
All of the above might not work if your extension is somehow questionable by CWS policies; if you can't publish for this exact reason, and can't use AD policies, I'm afraid you're SOL.
There isn't a way without domain level management to make this work. You can't just have the user "say" it is safe, since the user "saying" something could very well be the attacker. Any mechanism put in place to get around this would simply be used by attackers and unthoughtful companies to add more junk into your browser.
Was wondering if I had a web-application on www.mydomain.com/userportal etc but didn't want this accessable via the browser, but as a chrome application similar to how Google's Hangouts is a seperate window / popup - How easy is it to implement an already built application into one of these windows?
If I understand you correctly, you would like to display your www site as a Chrome App. Chrome apps are all HTML/CSS/JS files hosted on the computer but they can display a webview into a site online. However, Chrome Apps must be 'offline' first. So you must ask for permissions to all online activity.
Ideally you would make separate app hosted as a Chrome App (not link/embedded to a www site) that uses an API to talk to a web-app.
Keep in mind that Google is phasing out Chrome Apps for all platforms except Chrome OS in the near future.
I'm creating a Chrome extension that modifies the gmail UI.
But when I authenticate (with chrome.identity.getAuthToken) in the Chrome extension, it defaults to using the user account that is signed into Chrome.
But I need data for a gmail account when I am on that gmail page.
I saw this answer, but I was wondering if there was any easier way?
I just went through the same process and I couldn't find an easier way.
You'll need to authenticate yourself.
We tried using the mechanism in that link but it requires putting the Client Secret in the Extension - very ugly.
In the end we request and refresh tokens externally through a hosted web page from our www site.
Although a hassle to set up once in place it works nicely and is worth the effort.
Pushbullet and Google Now have notifications, which can pop up depending on time or place or any other trigger. If I have to add this feature to my app, how can I do it?
You have two options:
https://developer.chrome.com/extensions/notifications as pointed out by #Moin in the comments. This will only work for people that decide to install your chrome app on desktop (no support for chrome in Android)
Using the new push notifications APIs as described in
https://developers.google.com/web/fundamentals/getting-started/push-notifications/
The latter is probably recommended if you can live with the following caveats:
It's a bit more basic API
Users needs to opt in via a prompt
The site needs to be https
I would like to create an extension or app for the Chrome browser which would require access to a user's Google Calender (for creating new appointments).
I am unsure of which technology to better research and use, Chrome extensions or apps. My "app" wouldn't need much of a GUI, so I'm leaning towards extension — but I don't know if this would pose any difficulties for accessing a user's Google Calender to add an event.
Anyone one have any idea which technology is best for this situation, and why? Thanks!
Either, or... Go with an extension if you'd like.
I assume you've looked at the API reference?
https://developers.google.com/google-apps/calendar/
From there, I'd imagine you'd just need OAuth to authenticate the user. Here's the JS library:
https://code.google.com/p/google-api-javascript-client/
There are pros/cons of each types, apps or extensions.
Apps
If you would like to create a client application of Google Calendar which has many rich GUI components, this type will become a better solution.
In addition, Chrome apps can communicate with many hardware devices and other servers. Of course, your Chrome app can become as a server (that is, your app can open a server socket and accept a request from other client apps).
Chrome apps can be executed not depending on your Chrome Web browser. That is, Chrome apps cannot access to a context of your Chrome Web browser.
Probably, you don't want to get the pros above, I guess...
Extensions
If you would like to create a small UI for posting your schedule to Google Calendar, this type will become a better solution.
In addition, Chrome extensions can access to a context of your Chrome Web browser. That is, your extension can get page contents of each tab and inject your CSS and/or JS code. For example, your extension will get a URL of some opened tab and include it in a body of the posted schedule.
Chrome extensions completely depend on your Chrome Web browser. That is, your extension cannot execute independently.
Also, generally, high cost will be needed to develop Chrome apps than Chrome extensions. As the result, you should choose Chrome extensions, I believe.