Installing chrome extension on windows in the future

678 views
Skip to first unread message

ludovic paquet

unread,
Nov 8, 2013, 3:39:00 AM11/8/13
to chromium-...@chromium.org
Hi,


As regards these changes ("Protecting Windows users from malicious extensions"), will it be possible (like today) to drag'n drop crx extension for installing them ?


Thanks !


Ludovic

Tim Robinson

unread,
Nov 8, 2013, 4:30:27 AM11/8/13
to chromium-...@chromium.org
I'm assuming not.

What a shambles - It looks like a lot of my corporate customers will have no choice but to go back to "good old" Internet Explorer :-( I didn't think I'd ever be saying that.

RichardS

unread,
Nov 8, 2013, 4:51:44 AM11/8/13
to chromium-...@chromium.org
I hope the drag and drop option is retained (even with the use of a flag). We have an internal extension that contains private information that we would not put in the Chrome Web Store. Our internal users simply drag and drop our crx to install at the moment in their stable channel browsers.

I can understand stopping silent installation for consumers but what I have described is a very common use case in business.


On Friday, November 8, 2013 8:39:00 AM UTC, ludovic paquet wrote:

Tim Robinson

unread,
Nov 8, 2013, 5:16:31 AM11/8/13
to chromium-...@chromium.org
I hope so too but I suspect we're hoping in vain. As far as I'm aware they have already changed it so that extensions not from the app store have to be explicitly dragged and dropped. If they were keeping the same behaviour there would be no need for this announcement.

RichardS

unread,
Nov 8, 2013, 5:33:14 AM11/8/13
to chromium-...@chromium.org
The announcement suggests they are targeting bundled extension installed through this mechanism: http://developer.chrome.com/extensions/external_extensions.html

This is different to the drag and drop mechanism which an additional step the average user would not use. Some clarity from Google would be good here.

David Mohl

unread,
Nov 8, 2013, 8:16:45 AM11/8/13
to chromium-...@chromium.org
What I got from the message is, that you have to activate developer mode first before being able to drag and drop (a.k.a. tick the small box and put chrome into developer mode).

Would love some verification on this
--
You received this message because you are subscribed to the Google Groups "Chromium-extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To post to this group, send email to chromium-...@chromium.org.
Visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/6e91bcbc-3bbd-4bd6-925b-b7311fc34970%40chromium.org.
For more options, visit https://groups.google.com/a/chromium.org/groups/opt_out.

Antony Sargent

unread,
Nov 8, 2013, 6:27:27 PM11/8/13
to Chromium-extensions
Unfortunately the bad actors we've seen in the wild have been writing the chrome preferences file (after killing running instances of chrome) and/or modifying shortcuts to insert command-line flags. So anything we could write into your chrome preferences to say "they manually installed this via drag and drop", the bad actors can just write. (In fact we've found that many already do something very much like this today, to bypass the "users must opt in" protections we added a while back - they just set the "this user said yes to that dialog" flag to true). 


David Mohl

unread,
Nov 8, 2013, 8:45:53 PM11/8/13
to Antony Sargent, chromium-...@chromium.org
Thanks for clearing this up Antony.

Since I am maintaining a popular (300k) non-webstore extension right now that got kicked out of the webstore, this is affecting me and my userbase pretty strong. 

Pushing my addon back to the webstore listing will very likely not work. Would pushing it as a private addon be an option for us non-webstore-devs? Since only users with the URL would be able to find the extension.

Or does this change indeed require us to publish a manual how to load a unpacked extension into chrome? This case would have an huge impact and basically killing off all non-webstore extensions that are targeting non-tech users. Imagine advising every user to go to github and download a zip from your source code (or is this what google wants? Webstore or nothing?)


Cheers

Antony Sargent

unread,
Nov 11, 2013, 12:26:28 PM11/11/13
to David Mohl, Chromium-extensions
Hi David-

Sorry this change will negatively impact you! If for some reason your extension actually does comply with the webstore's program policies / terms of service and it was removed in error, you can start a new thread at http://groups.google.com/a/chromium.org/group/chromium-apps/ and our developer relations folks may be able to help get things straightened out. Also, it's worth reiterating that these restrictions only apply to extensions, not apps, and only on windows stable/beta channel. 

Assuming none of the above helps, you can notify your users of the options they have for running extensions not hosted in the webstore:

-Use any verison of chrome on mac or linux, where we are not enforcing these restrictions
-On Windows, install the canary channel alongside the existing stable/beta install (since canary can co-exist and uses a different profile directory), or replace chrome stable/beta with the dev channel
-Users who are very technical could even build their own copy of chromium from the open source repository, or download one of the continuous builds). This isn't a good option in general since you don't get autoupdates and would need to keep it up to date yourself, but I include it for completeness. 

We don't recommend trying to have people run the extension unpacked in developer mode, because we will be adding UI safeguards to steer regular users away from this, and if we find abuse by some of the same bad actors who have been force installing extensions to date we may need to start flagging extensions that push developer mode on users as malware.


Reply all
Reply to author
Forward
0 new messages