I am looking for source code or library to expose Unix Domain Sockets to my Google Chrome's extension via NPAPI.
Does anything similar or related already exist?
Creating something like that generically would be exceptionally dangerous; you could, however, use FireBreath to create a plugin that would do that and it would be prettye easy. Make sure, though, that you are very careful with the security model since if you can instantiate it on your page someone else can on their page too, and they can then use it maliciously.
Related
I would like to build a Chrome multimedia extension.
I would like this extension to communicate with another process (using a "memory-mapped file" (https://msdn.microsoft.com/en-us/library/ms810613.aspx). Is it possible?
From the NaCl FAQ:
If I want direct access to the OS, should I use Native Client?
No—Native Client does not provide direct access to the OS or devices,
or otherwise bypass the JavaScript security model. For more
information, see later sections of this FAQ.
If it is not possible to use memory-mapped files in NaCl's sandbox, is there any other way to build such plugin?
My extension would be used only by me, so I can accept security flaws.
Short answer: No. The sandbox is designed to prevent that kind of thing. The only way to use APIs other than the Pepper APIs (or of course those available in JavaScript) would be to install a native app in the OS, and communicate with it from a web app or extension using Native Messaging:
https://developer.chrome.com/extensions/nativeMessaging (that might be a good solution for you since it sounds like communicating with another process is what you want to do anyway).
First of all, I haven't started the implementation of the system I'm about to describe, as I didn't want to commit on implementing something I did not know if was possible.
So, what I'm trying to achieve is to build a chrome-app to download the audio from certain websites (e.g. youtube and soundcloud) using youtube-dl, post process it using ffmpeg and then upload it to a cloud service via some api. The reason I want to do it via a chrome-app is because I could do all the work on the client side (no need for servers) and I'd have the ability to insert javascript into the pages using content scripts, which would make the app pretty simple to use (I could create buttons such as 'download song' and stuff like that).
Although I have already read the documentation explaining the NaCl Technical Overview and some of the Application Structure, I still am not sure as to whether I would be able to make these calls via some C/C++ module or if I would get denied due to security reasons.
To summarize: considering that the user has the needed dependencies in his system (youtube-dl, python, ffmpeg and etc.), is it possible to make calls to third party APIs such as the ones described before via a chrome-app using NaCl ?
Thank you all in advance,
Chrome apps are normally sandboxed.
Less so than extensions - they can reach much more system resources via app APIs.
But still, what you mention is executing libraries / utilities out of browser, and it's not normally allowed.
(P)NaCl is tightly sandboxed in this regard. See this old question, it still applies: you can only use 3rd-party code that compiles into NaCl along with your app, not just link to a library. There are some library ports to NaCl, but it's not automatic.
Normally, a few years back you would use a mechanism like NPAPI to reach out and use a library out of browser. It's deprecated, and won't work anymore. In its place, Chrome offers a pipe-like (through stdio) connection to an external program called Native Messaging. You could use it to perform operations with system-level libraries and tools, but the downside is that you can't bundle the native host with your app, you'll need a separate installer.
I'm writing a small chrome extension for personal use and I would like to run an executable via the context menu and pass certain information as arguments to said executable.
What the simplest and/or cleanest way to achieve this? To me it seems that it is impossible due to chrome's sandboxing.
This can be accomplished via NPAPI Plugins.
Code running in an NPAPI plugin has the full permissions of the
current user and is not sandboxed or shielded from malicious input by
Google Chrome in any way. You should be especially cautious when
processing input from untrusted sources, such as when working with
content scripts or XMLHttpRequest.
However, I should also include their warning.
Warning
NPAPI is being phased out. Consider using alternatives.
NPAPI is a really big hammer that should only be used when no other
approach will work.
via Start an external application from a Google Chrome Extension?
Alternatives to NPAPI
There are several alternatives to NPAPI. In cases where standard web
technologies are not yet sufficient, developers and administrators can
use NaCl, Apps, Native Messaging API, and Legacy Browser Support to
transition from NPAPI. Moving forward, our goal is to evolve the
standards-based web platform to cover the use cases once served by
NPAPI.
via http://blog.chromium.org/2013/09/saying-goodbye-to-our-old-friend-npapi.html
Another way, suggested here, is with Java.
Java applets: http://docs.oracle.com/javase/tutorial/deployment/applet/
Implementing Policy: http://docs.oracle.com/javase/tutorial/security/userperm/policy.html
Use sendNativeMessage:
There is chrome.runtime.sendNativeMessage which can be used to send a
message to a native application and chrome.runtime.connectNative which
allows for a more persistent connection.
So, you can't directly execute a command, but you can have a native
app do it for you.
You can find more info on Native Messaging in the docs.
via https://stackoverflow.com/a/19917672/1085891
Is it possible to write a Chrome Extension that will interact with a Native Client application?
I use Irssi through the NaCl Secure Shell application, and I would like to write an extension that simply looks for plain URLs and makes them clickable links.
I'm seeing some strange behavior with extensions and NaCl applications, so I wanted to know if this is something that is even possible.
Additionally, if anyone has a more elegant solution to this, please don't hesitate to let me know.
Thanks!
The fact that the NaCl Secure Shell app uses Native Client under the hood shouldn't matter; the page is rendered using standard HTML.
The documentation for Chrome Extensions here says you should be able to inject content scripts into pages with the chrome-extension scheme. I tried it, but it doesn't work. It seems the documentation is incorrect. See http://crbug.com/153245.
As far as I can tell, it is not possible to modify an extension this way. It is possible to communicate with other extensions/apps (see here), but it seems that the application must expose an API to communicate with.
Secure Shell supports clicking links now via Ctrl+Click. it will support OSC+8 in a future release.
I'm not finding a way to do this in the chrome.* API or even the experimental. It doesn't run through wscript so
ActiveXObject("Shell.Application") isn't allowed.
I fear that my only option is to build a dll with NPAPI but I wanted to see if there was a simpler way.
To update this for a fellow wary lonesome traveler, even NPAPI is deprecated and being phased out. One of the alternatives mentioned in the NPAPI decprecation blog post that looks suitable for this type of problem (and pretty nifty really) is the Native Messaging API.
If you want to do anything Natively, you need to use NPAPI. That allows you to run code outside the sandbox for your extensions.
http://code.google.com/chrome/extensions/npapi.html
Alternatively, you might want to have two applications:
a "client" that works within a chrome extension and
a "local server" where the actual command is executed.
Whenever the extension needs to execute a command, it can connect to the local server via tcp connection.