--
You received this message because you are subscribed to the Google Groups "Chromium-extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To post to this group, send email to chromium-...@chromium.org.
Visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/184f34a3-fbee-4467-9f7c-d4c7d3d5577c%40chromium.org.
For more options, visit https://groups.google.com/a/chromium.org/groups/opt_out.
But just to be absolutely clear, in the latter two options (for people in domain or trusted testers) some untrusted person with the link wouldn't be able to get at the code for the extension from the store or is it merely that they couldn't install it?
I appreciate the reasons given for this change but it's actually quite a pain, as at my company we're in a similar position as Scott but would rather not expose an internal only extension to the outside world. I suppose there is obfuscation, but are there any other approaches that could be recommended for those concerned with privacy? (Ie some way to keep more of the workings internal only?)
But just to be absolutely clear, in the latter two options (for people in domain or trusted testers) some untrusted person with the link wouldn't be able to get at the code for the extension from the store or is it merely that they couldn't install it?
I appreciate the reasons given for this change but it's actually quite a pain, as at my company we're in a similar position as Scott but would rather not expose an internal only extension to the outside world. I suppose there is obfuscation, but are there any other approaches that could be recommended for those concerned with privacy? (Ie some way to keep more of the workings internal only?)
--
You received this message because you are subscribed to the Google Groups "Chromium-extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To post to this group, send email to chromium-...@chromium.org.
Visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/CALwaUNKJF1NCdVL1QaLX8jCNNeNL2Vdkqce%2BBgRji7HBtH%2BCHw%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "Chromium-extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To post to this group, send email to chromium-...@chromium.org.
Visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/c0a73e07-9ddc-4197-a0e6-bc468fd2d073%40chromium.org.
--
You received this message because you are subscribed to the Google Groups "Chromium-extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To post to this group, send email to chromium-...@chromium.org.
Visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/5a5f62d0-e6b5-430f-800b-61b7b031e882%40chromium.org.
--
You received this message because you are subscribed to the Google Groups "Chromium-extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To post to this group, send email to chromium-...@chromium.org.
Visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/3e2f8918-969e-4646-888e-3ead283d8bf8%40chromium.org.
Thanks for the response. The concern with the Enterprise settings is mainly one of practicality - the extension tool being developed is useful to my team, but I am unlikely to win over our central IT people to make a change specifically for us; we don't usually operate with that level of fine grained control over those sort of settings (there are areas where levels are fine grained, but the overall profiles are typically fairly uniform).
You could make the case that we're not making sufficient effort, or if it were important enough, we'd change, however the world is full of things that fall in this category, and it's just a shame we have lost something that didn't actually seem that broken to me.
I'm sure you've got great people running over the options, so I feel a hesitant to suggest it, but is there no way to sign the collection of extension settings and then simply compare the stored signature at start up against the files? (ie so you know the bad actors haven't fiddled with them). And if it's on a machine that's so compromised, is the upcoming change not just rearranging the chairs on the Titanic? Not much reassurance for those in sea-worthy vessels!
Kind regards,
Neil
First of all, a shout-out to Google: GOOD JOB GUYS! Thanks for helping with protecting your users!
I'm now writing a detailed research that I intend to publish very soon with all of my findings about the industry of ad-injecting add-ons (If anyone's interested - I'll update this thread with it soon with an early draft of the research).
Is there anyone here that can share some more technical details about the future changes? will the preferences file be encrypted, for instance?
Thanks!
--You received this message because you are subscribed to the Google Groups "Chromium-extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To post to this group, send email to chromium-...@chromium.org.
Visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/99c5c50b-ce5a-4d45-b114-43409dffebdb%40chromium.org.
On Tue, Nov 12, 2013 at 2:16 PM, samroth <samro...@gmail.com> wrote:
First of all, a shout-out to Google: GOOD JOB GUYS! Thanks for helping with protecting your users!
I'm now writing a detailed research that I intend to publish very soon with all of my findings about the industry of ad-injecting add-ons (If anyone's interested - I'll update this thread with it soon with an early draft of the research).
Is there anyone here that can share some more technical details about the future changes? will the preferences file be encrypted, for instance?Which preferences exactly?Thanks!
--
You received this message because you are subscribed to the Google Groups "Chromium-extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extensions+unsub...@chromium.org.
To post to this group, send email to chromium-...@chromium.org.
Visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/.
@Adrian,Chrome's preferences file.In my research, I found out that changing it allows silently adding extensions to chrome, without the user's approval
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To post to this group, send email to chromium-...@chromium.org.
Visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/06dacf65-5f21-4800-b47f-23f57cabe742%40chromium.org.
Sure enough NaCl and Chrome Apps don't get me anywhere but it looks like the Native Messaging API will allow me to do what I want. I can write a small executable which does the Windows API part for me and talk to that through the shared messaging.
NaCl doesn't have access to the system. You can't call native system functions directly, for example use Win32 API. So NaCl is like native javascript, and all your code runs in Google's sandbox.Native Messaging Host - Limited users can't install native messaging host, because your installer need to write to the HKLM registry hive to register your host with Chrome, to do that an user need run your installer with admin privileges. If you have a big user base, you will lost many users.Also, you can't install an extension and native messaging host at once, you need to write your own custom native installer and updater for every platform Mac, Win, Linux. Moreover, this is not cross-browser solution.P.S As a result, browsers based on Chromium are stuck at v.25 and not updating their products.As a result, many users are moving to the alternative small browsers and IE, just see at counterstats.
Thanks for the response. The concern with the Enterprise settings is mainly one of practicality - the extension tool being developed is useful to my team, but I am unlikely to win over our central IT people to make a change specifically for us; we don't usually operate with that level of fine grained control over those sort of settings (there are areas where levels are fine grained, but the overall profiles are typically fairly uniform).
You could make the case that we're not making sufficient effort, or if it were important enough, we'd change, however the world is full of things that fall in this category, and it's just a shame we have lost something that didn't actually seem that broken to me.
I'm sure you've got great people running over the options, so I feel a hesitant to suggest it, but is there no way to sign the collection of extension settings and then simply compare the stored signature at start up against the files? (ie so you know the bad actors haven't fiddled with them). And if it's on a machine that's so compromised, is the upcoming change not just rearranging the chairs on the Titanic? Not much reassurance for those in sea-worthy vessels!
Sure enough NaCl and Chrome Apps don't get me anywhere but it looks like the Native Messaging API will allow me to do what I want. I can write a small executable which does the Windows API part for me and talk to that through the shared messaging. It seems pretty secure too (because an attacker would have had to have already installed an executable on the machine in order to be able to attack it through a native messaging plugin) so I'd hope that google won't be removing this API in the near future at least.
Will drag and drop into chrome:extensions continue to work?
☆PhistucK
On Sat, Nov 9, 2013 at 12:53 AM, Antony Sargent <asar...@chromium.org> wrote:
But just to be absolutely clear, in the latter two options (for people in domain or trusted testers) some untrusted person with the link wouldn't be able to get at the code for the extension from the store or is it merely that they couldn't install it?
I believe what happens is that someone with the URL but not in the domain / trusted testers list would get an error page if they browsed to the URL. However, because we do autoupdate requests without sending any cookies, in some cases if someone knows the id of the extension they may be able to get a copy of it by crafting a fake autoupdate check. (However if they have access to a computer where it is installed to find out the id, they could get a copy the contents from the user profile directory anyway).I appreciate the reasons given for this change but it's actually quite a pain, as at my company we're in a similar position as Scott but would rather not expose an internal only extension to the outside world. I suppose there is obfuscation, but are there any other approaches that could be recommended for those concerned with privacy? (Ie some way to keep more of the workings internal only?)Sorry this is a pain for you! We very reluctantly came to the decision to add these restrictions after analyzing data showing rapidly increasing numbers of windows users being plagued by unwanted force-installed extensions. (The problem is that the bad actors doing the force installs are rewriting users' preferences files behind their back after killing chrome to make it look like they opted in to the install when they didn't)To summarize, the restrictions will only apply to Windows chrome stable/beta users, and the set of available options will be:-Users installing from the webstore via the regular chrome.google.com/webstore page, or inline install from pages a developer controls. The items here can be unlisted (effectively hidden from public view) and additionally shown but just to domain users or trusted tester groups.-Enterprise policy, specifically the ExtensionInstallForceList or ExtensionInstallWhitelist values.-Unpacked for developmentWe really wanted to limit the scope of the change to just where the problem is, so we don't plan to enforce these restrictions to the dev or canary channels, the open-source chromium builds, or to chrome on OSes other than windows. Again, I really wish we didn't have to make the tough choice between leaving large numbers of our user base at risk or making life more difficult for some legitimate developers like yourself. We'll continue to try and find technical solutions that would be hard for the bad actors to exploit but give flexibility for cases like yours, but so far we haven't come up with anything that achieves that.Could you elaborate on why using enterprise policy would not work for you?
--
You received this message because you are subscribed to the Google Groups "Chromium-extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extensions+unsub...@chromium.org.
To post to this group, send email to chromium-...@chromium.org.
Visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/.
--
You received this message because you are subscribed to the Google Groups "Chromium-extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To post to this group, send email to chromium-...@chromium.org.
Visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/7bf6462b-1cf5-42c8-8b87-9503b81fae28%40chromium.org.
--
You received this message because you are subscribed to the Google Groups "Chromium-extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To post to this group, send email to chromium-...@chromium.org.
Visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/ddb44686-b85f-422b-9b3a-f73b8844418b%40chromium.org.
--
You received this message because you are subscribed to the Google Groups "Chromium-extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To post to this group, send email to chromium-...@chromium.org.
Visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/7bf6462b-1cf5-42c8-8b87-9503b81fae28%40chromium.org.