Recently, i have made a chrome ext, but anyone can read its source code by rename the crx to zip and extract it, how i secure my SC ?
The only way to prevent anyone with your extension from seeing the logic is to move it out of the extension that runs on a user computer and into a web service that the extension accesses.
Since this will slow down the works quite a bit, you should only do this for the really valuable parts of your code.
The best (and only?) way would be to obfuscate your JavaScript.
edit: Chrome Webstore does not allow you to obfuscate your JavaScript code. You can read it in the Chrome Webstore program policies
Code Readability Requirements:
Developers must not obfuscate code or conceal functionality of their
extension. This also applies to any external code or resource fetched by the
extension package. Minification is allowed, including the following forms:
Removal of whitespace, newlines, code comments, and block delimiters
Shortening of variable and function names
Collapsing files together
You can use Google Firebase API and related other storage services for write secure/safe business logic, because your google extension code is always open to show for every one....
:::: Example for your more help ::::
key-value from extension JS code ----- Transfer to Server ----> Firebase API perform your logics ---- send back to ----> extension JS code
FireBase is Free and light weight and perfect for business logic
Related
I recently submitted a chrome extension and it got rejected saying "Where possible, make as much of your code visible in the package as you can. If some of your app's logic is hidden and it appears to be suspicious, we may remove it."
My extension is to share music. It works in the below way (simplified explanation):
Create a group and add people.
Submit a youtube/soundcloud or any title and url.
Users in the group get notified.
I have not used any external libraries. My code is not minified. I am using bootstrap css from their cdn. The code is not fully commented because the function names are very much self explanatory.
The extension does send request to my server to save the title and url. But this should not be the reason for rejection.
This is my 5th chrome extension. My earlier extensions were submitted without any problem.
Any ideas or hints or suggestions ?
I also had the same issue with my extension, after I read Marc's comment I suppose to upload it as new extension. That really work for me
Try uploading it by creating another extension on your dashboard. If that doesn't work, you can upload an empty extension, then issue updates that update the code part by part until you get the error again. – Marc Guiselin
and check if there any external links for js css or fonts, which are not comply with Google's Content Security Policy (CSP)
I've prepared and published on my website an installer package with the software I developed. The package is compiled and bundled into .exe file using WiX toolset and contains no viruses or malware. Next when I try to download the file I get a notification from Chrome that it's blocked due to malicious content.
Malicious content warning
I'm really upset that my customers being misinformed with such warning. Any ideas how to get around it?
Google created this page for developers - https://support.google.com/webmasters/answer/3258249.
Even though it doesn't say it on there, almost all auto-detection software will not block software that is digitally signed (and there is no bad reputation associated with the signing certificate).
If it's a simple file, just upload it to Google Drive or DropBox, and generate a public link for it and then share it on your website.
You can also shorten that link, if your application provide this service, or via goo.gl, in order to view clicks' count.
If any developer come across this issue, I manage to resolve it by streaming the downloadable file instead, via different URL (which doesn't have the file name and its extension with file's full path on your hosting).
Doing so by manipulating the response header, will fix the issue.
Here is a useful link about streaming a downloadable via php script
I'm building a community driven website off of Google sites (I know this is a bad choice, I don't have a choice in the matter) and the majority of the functionality is build into Google Apps Scripts (to read/write to an external database and handle how data is displayed). Amid various issues, I've found one that consistently confuses me.
I typically structure my GAS projects into Javascript, HTML, and CSS (Code.gs, HTML.html, and CSS.html). I leverage jQuery for quite a few things (e.g., click handlers, form submission, etc). However, it seems that my jQuery and my Javascript can't exist in the same "world", here meaning in the same .gs file, or the same script tags if it's going in the HTML file. In fact, I can't call any jQuery functions from my .gs file! Can someone explain why this is, please? It seems like the problem is that the jQuery library isn't included, but I can't find a way to include anything in Javascript (think #include from C). And since this is web programming, which is pretty different from "normal" programming, I think that part of my problem understanding this comes from here. And working inside a framework (GAS) doesn't help.
Much obliged, thank you.
HTML Service supports JQuery because the code is executed in your Browser, so the library is loaded in your browser too (after CAJA sanitization) but the code in the .gs file is executed on Google's server and you can't obviously load anything on Google's server !
In one word : there is no way to use JQuery or any other external library in Google Apps Script files other than .html files used in HTML Service.
In the project configuration you're describing, which matches the examples from the HtmlService Best Practices, all your GS code runs server-side, while the regular javascript and jQuery run client-side, in the user's browser. If you've got GS in your HTML files, then I expect you're using templated HTML, which in turn means that the GS is evaluated server-side to produce the final HTML that gets served to the client. (Take a look at the HTML source once the page is served up... no GAS in there.)
So it's those different operating contexts that keep your GAS & jQuery elements from interacting directly. From the client, you can use google.script.run for instance, to call server-side functions and pass parameters to them, and you can also set up call-backs to receive asynchronous "returns" from your GS code.
Given the reliance on DOM elements, I am not sure what use there would be in having jQuery in server-side Apps Script, but this blog entry from #EricKoleda provides an example of porting an open source javascript library to Google Apps Script. (Maybe you'll find his copy of the Underscore Library to be all you need!)
I am building an extension for Chrome which gives the user a basic API. I would like for other developers to have the ability to add functions of their own to my API. For example, some developers offer a new "plugin" (which is only JavaScript code), and I want users to be able to download that plugin into their extension.
The main problem I'm facing is this:
How do you load new code into an extension permanently?
Ideally I would like to add code into the extension's JavaScript, but I have no way to write to the file; I am under the impression that I am restricted by JavaScript - is this true?
While I could perhaps load new code dynamically (by downloading some script), that code will only hold for the current run, and is not added permanently. Rather, it is gone once the user reloads the extension.
The only solution I can see so far is to create a login system where I save each user's downloaded plugins and give him the mandatory option to load them every time he opens the extension.
This method is very messy and impractical, because I don't want to make a user login every time. In fact, I would very much like to refrain from using any login system whatsoever.
What I desire is something similar to what the GreaseMonkey extension does, which is the ability to let users write scripts and allow other users to be able to download them.
I'm obviously looking to create an extension which is much smaller and simpler than GreaseMonkey, but something like GreaseMonkey is more or less what I am looking for.
Any thoughts or suggestions?
All of the "plugins" will be independent chrome extensions. You can then use Message Passing to send a message to every installed extension and the ones that are plugins should have code that goes something like:
if recieve "some identifying key"
then respond "information about this plugin"
Now your main extension knows what plugins are installed and can load their JS files using chrome-extension://[extensionID]/file.js".
That should get you started :)
I'm using a general Google Apps Script function to be able to read, prettify and publish Google Apps Script code and data from a scriptdb. I've recently extended it to publish code from a Gist or from a given web address. The purpose it to be able to include live code snippets in documentation. I have it all working fine for most use cases, including for html and other server based files.
However, php files get executed rather (than returned as text/html) when accessed with urlFetch(). I know it's along shot, but does anyone know of any header options, or indeed any other technique, I can use to generally override this?
What you are asking for would be a major security problem. It is not possible to ask for the php-code instead of the result of the php script execution. Well, not exactly - it is up to the Server hosting that php script what it does with it. If there was no php extension installed on the server it would return the php code or the file as whole.
But to help with your request:
You should ask the server administrator / website owner if the code is available somewhere and if so what the url is. I believe there is a php extension that allows files to be looked at with colors, text indent and everything - but i think it is disabled by default (or you need to rename your php file to something else)