Security, Installation Alternatives, Review Process
Jerry Krinock
a document explaining the security model of Chromium Extensions,
particularly the rules on interacting with other desktop applications,
installation of extensions, and is there a Review Process for
Extensions?
Longer Version:
I'm considering developing an Extension which would interact with my
Mac OS desktop application, specifically to read and write the user's
bookmarks. I'm not sure that this could even be done, since I'd like
the reads and writes to be initiated primarily by my desktop app.
Custom URL schemes may play a role. Would this even be allowed by
Chromium's security model, though?
Then, rather than distributing through the Extensions Gallery or
hosting on my own server, I would like to package my extension in with
my desktop app, and provide a function in my app which would install
the extension into ~/Library/Application\ Support/Google/Chrome/
Default/Extensions. Is there any reason why I could not do this?
Finally, in browsing the list archives today I found a message from a
developer inquiring about the Review Process…
http://groups.google.com/a/chromium.org/group/chromium-extensions/browse_thread/thread/714fc597793f8f35#
But I can't find any mention of the Review Process in the Developer's
Guide. Where can I find out about the Review Process?
Thanks,
Jerry Krinock
Aaron Boodman
> Short Version: I want to read but cannot find in the Developer's Guide
> a document explaining the security model of Chromium Extensions,
> particularly the rules on interacting with other desktop applications,
> installation of extensions, and is there a Review Process for
> Extensions?
I don't think there is a document covering this kind of thing, but I
can answer here.
> Longer Version:
>
> I'm considering developing an Extension which would interact with my
> Mac OS desktop application, specifically to read and write the user's
> bookmarks. I'm not sure that this could even be done, since I'd like
> the reads and writes to be initiated primarily by my desktop app.
> Custom URL schemes may play a role. Would this even be allowed by
> Chromium's security model, though?
Yes, it is possible. You can include native code in an extension via NPAPI:
http://code.google.com/chrome/extensions/npapi.html
And from there talk to your desktop app using native IPC.
> Then, rather than distributing through the Extensions Gallery or
> hosting on my own server, I would like to package my extension in with
> my desktop app, and provide a function in my app which would install
> the extension into ~/Library/Application\ Support/Google/Chrome/
> Default/Extensions. Is there any reason why I could not do this?
We already support a mechanism to distribute extensions with third
party apps that is much simpler than that:
http://code.google.com/chrome/extensions/external_extensions.html#preferences
Though because of
http://code.google.com/p/chromium/issues/detail?id=41902, you'll have
to periodically re-apply the change.
> Finally, in browsing the list archives today I found a message from a
> developer inquiring about the Review Process…
> http://groups.google.com/a/chromium.org/group/chromium-extensions/browse_thread/thread/714fc597793f8f35#
> But I can't find any mention of the Review Process in the Developer's
> Guide. Where can I find out about the Review Process?
http://www.google.com/support/chrome/bin/answer.py?answer=113909 See
"extension review process" section.
Basically, most extensions are automatically and immediately approved.
The developer in the mail list thread you linked to hit a bug in our
gallery, he wasn't being held for manual review on purpose. A few
types of extensions (including those that use NPAPI) require manual
review, which is usually less than a week.
- a
Jerry Krinock
On 2010 Oct 08, at 15:58, Aaron Boodman wrote:
> On Mon, Oct 4, 2010 at 6:44 PM, Jerry Krinock <je...@sheepsystems.com> wrote:
>> Then, rather than distributing through the Extensions Gallery or
>> hosting on my own server, I would like to package my extension in with
>> my desktop app, and provide a function in my app which would install
>> the extension into ~/Library/Application\ Support/Google/Chrome/
>> Default/Extensions. Is there any reason why I could not do this?
>
> We already support a mechanism to distribute extensions with third
> party apps that is much simpler than that:
>
> http://code.google.com/chrome/extensions/external_extensions.html#preferences
Eeek. This method requires that I modify the Google Chrome application package, normally owned by root, on the user's machine. That's generally a no-no in Mac OS X. First of all, if the user is not an administrator, they may not have permission to do it. Second, even if they do, their modification of Google Chrome will affect other users. Third, as you noted…
> because of
> http://code.google.com/p/chromium/issues/detail?id=41902,
> you'll have to periodically re-apply the change.
which says that if the user ever updates or reinstalls Google Chrome, obviously my "external extension" that I put in there gets hosed. Fourth, although many users regularly back up their Home folder, not as many back up their /Applications.
When programming for Mac OS X, one prefers to keep as much as possible in the user's Home folder. So I think that my idea of providing a "Install Chrome Extension" button in my app which will copy my extension to
~/Library/Application\ Support/Google/Chrome/Default/Extensions
is not only more reliable, but also simpler and better follows Mac OS X's security model, when compared to modifying the installation of Google Chrome in root's /Applications.
However, do let me know if there's any reason I overlooked why this might fail in the field. Oh, besides the fact that neither method would be allowed by Apple for an app in the Mac App Store :(
Thanks again,
Jerry