extension deployment starting 2014

[Rajesh Katalkar]

I know there are other topics where this is discussed in different parts.....As far as i know google is going to make extensions from webstore mandatory.
Following are other ways known that should work with webstore ..please correct me if i am wrong
1)GPO and  hosting crx on custom server
2)manual loading using developer mode

unknown to me
1)crx manual loading


Details of my extension
1)depends on native messaging host app

[Rajesh Katalkar]

correction ..pasting again as no way to edit post

I know there are other topics where this is discussed in different parts.....As far as i know google is going to make extensions from webstore mandatory.

Following are other ways known that should work without webstore ..please correct me if i am wrong

[Rajesh Katalkar]

can any please reply to this.This is very important.we need to know every possible way to deploy it.Both webstore and non-webstore way.

[Rajesh Katalkar]

Why is this most important question still unanswered. ....why isn't anyone replying. ......this is very important. ...I have changed the extension design from npapi to native messaging and want to know all possible ways to deploy this.This is very important decision our my needs to make now, so our clients can don't face problem's.

Sent from LG

On Dec 18, 2013 12:50 PM, "Rajesh Katalkar" <rajesh...@gmail.com> wrote:

can any please reply to this.This is very important.we need to know every possible way to deploy it.Both webstore and non-webstore way.

--
You received this message because you are subscribed to the Google Groups "Chromium-extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To post to this group, send email to chromium-...@chromium.org.
Visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/25ecda03-6da6-47de-ab80-7588085a716e%40chromium.org.
For more options, visit https://groups.google.com/a/chromium.org/groups/opt_out.

[Antony Sargent]

The policy change was announced here: http://blog.chromium.org/2013/11/protecting-windows-users-from-malicious.html and affects extensions (not apps) on windows beta/stable channels. 

Apart from running extensions hosted in the webstore,

-Enterprise policy managed chrome instances will still be able to run non-webstore extensions via ExtensionInstallWhitelist/ExtensionInstallForcelist. On windows these policies are loaded via the Group Policy API. 

-Developers will still be able to run unpacked extensions for development, but this isn't intended to be a mechanism for distribution to end users

When the policy is in effect, extensions not hosted in the webstore will not be loaded by chrome. 

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/CAF3edMTmdnOwkYkuhtVNt4BB9ktvgVmnvaNuU39nPYFg7KgO7w%40mail.gmail.com.

[Rafał J]

And then my company will die, I will be jobless and with the rest of my money I'll probably sue Google and Antony Sargent by name, along with any other Chrome/Chromium dev I'll find online, for those changes are total bullshit. All you needed to do in order to protect users was to put up a popout message about possible danger while instaling extensions outside of the webstore. Instead you've decided it'll be a better idea to just ruin my life and lives of extension developers who can't put their produtcs in the webstore because Google is full of shit. Never trust Google, they don't care anymore. Just go and take a look how they're stealing from video makers on YouTube right now... 

W dniu czwartek, 19 grudnia 2013 02:11:13 UTC+1 użytkownik Antony Sargent napisał:

The policy change was announced here: http://blog.chromium.org/2013/11/protecting-windows-users-from-malicious.html and affects extensions (not apps) on windows beta/stable channels. 

Apart from running extensions hosted in the webstore,

-Enterprise policy managed chrome instances will still be able to run non-webstore extensions via ExtensionInstallWhitelist/ExtensionInstallForcelist. On windows these policies are loaded via the Group Policy API. 

-Developers will still be able to run unpacked extensions for development, but this isn't intended to be a mechanism for distribution to end users

When the policy is in effect, extensions not hosted in the webstore will not be loaded by chrome. 

On Wed, Dec 18, 2013 at 9:54 AM, Rajesh Katalkar <rajesh...@gmail.com> wrote:

Why is this most important question still unanswered. ....why isn't anyone replying. ......this is very important. ...I have changed the extension design from npapi to native messaging and want to know all possible ways to deploy this.This is very important decision our my needs to make now, so our clients can don't face problem's.

Sent from LG

On Dec 18, 2013 12:50 PM, "Rajesh Katalkar" <rajesh...@gmail.com> wrote:

can any please reply to this.This is very important.we need to know every possible way to deploy it.Both webstore and non-webstore way.

--
You received this message because you are subscribed to the Google Groups "Chromium-extensions" group.

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extensions+unsub...@chromium.org.

To post to this group, send email to chromium-...@chromium.org.
Visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/25ecda03-6da6-47de-ab80-7588085a716e%40chromium.org.
For more options, visit https://groups.google.com/a/chromium.org/groups/opt_out.

--
You received this message because you are subscribed to the Google Groups "Chromium-extensions" group.

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extensions+unsub...@chromium.org.

To post to this group, send email to chromium-...@chromium.org.
Visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/.

[Rajesh Katalkar]

Antony is there any impact of "When the policy is in effect, extensions not hosted in the webstore will not be loaded by chrome. " on

 this "Developers will still be able to run unpacked extensions for development, but this isn't intended to be a mechanism for distribution to end users"

Plus all this important info should be on extension development page and not on any chromium page...we have google to find all such info but yet this not officially updated.

Also with GPO can we host in on our webserver or it has to be on google store?

[Rajesh Katalkar]

I am not getting why I have to ask again and again to answer my question which is a very important deployment question.This is delaying us to make decision on deployment technique.

Sent from LG

[Rajesh Katalkar]

wow no reply yet ...so many responses to other threads though.
please reply.................

On Friday, 20 December 2013 23:18:04 UTC+5:30, Rajesh Katalkar wrote:

I am not getting why I have to ask again and again to answer my question which is a very important deployment question.This is delaying us to make decision on deployment technique.

Sent from LG

On Dec 19, 2013 1:14 PM, "Rajesh Katalkar" <rajesh...@gmail.com> wrote:

Antony is there any impact of "When the policy is in effect, extensions not hosted in the webstore will not be loaded by chrome. " on

 this "Developers will still be able to run unpacked extensions for development, but this isn't intended to be a mechanism for distribution to end users"

Plus all this important info should be on extension development page and not on any chromium page...we have google to find all such info but yet this not officially updated.

Also with GPO can we host in on our webserver or it has to be on google store?

On Thu, Dec 19, 2013 at 7:01 AM, Rafał J <javi...@gmail.com> wrote:

And then my company will die, I will be jobless and with the rest of my money I'll probably sue Google and Antony Sargent by name, along with any other Chrome/Chromium dev I'll find online, for those changes are total bullshit. All you needed to do in order to protect users was to put up a popout message about possible danger while instaling extensions outside of the webstore. Instead you've decided it'll be a better idea to just ruin my life and lives of extension developers who can't put their produtcs in the webstore because Google is full of shit. Never trust Google, they don't care anymore. Just go and take a look how they're stealing from video makers on YouTube right now... 

W dniu czwartek, 19 grudnia 2013 02:11:13 UTC+1 użytkownik Antony Sargent napisał:

The policy change was announced here: http://blog.chromium.org/2013/11/protecting-windows-users-from-malicious.html and affects extensions (not apps) on windows beta/stable channels. 

Apart from running extensions hosted in the webstore,

-Enterprise policy managed chrome instances will still be able to run non-webstore extensions via ExtensionInstallWhitelist/ExtensionInstallForcelist. On windows these policies are loaded via the Group Policy API. 

-Developers will still be able to run unpacked extensions for development, but this isn't intended to be a mechanism for distribution to end users

When the policy is in effect, extensions not hosted in the webstore will not be loaded by chrome. 

On Wed, Dec 18, 2013 at 9:54 AM, Rajesh Katalkar <rajesh...@gmail.com> wrote:

Why is this most important question still unanswered. ....why isn't anyone replying. ......this is very important. ...I have changed the extension design from npapi to native messaging and want to know all possible ways to deploy this.This is very important decision our my needs to make now, so our clients can don't face problem's.

Sent from LG

On Dec 18, 2013 12:50 PM, "Rajesh Katalkar" <rajesh...@gmail.com> wrote:

can any please reply to this.This is very important.we need to know every possible way to deploy it.Both webstore and non-webstore way.

--
You received this message because you are subscribed to the Google Groups "Chromium-extensions" group.

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extensions+unsubscribe...@chromium.org.

To post to this group, send email to chromium-...@chromium.org.

Visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/25ecda03-6da6-47de-ab80-7588085a716e%40chromium.org.
For more options, visit https://groups.google.com/a/chromium.org/groups/opt_out.

--
You received this message because you are subscribed to the Google Groups "Chromium-extensions" group.

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extensions+unsubscribe...@chromium.org.

To post to this group, send email to chromium-...@chromium.org.

Visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/.

[Finnur Thorarinsson]

> wow no reply yet 

I don't know... it might have something to do with the fact that you threatened to sue the last person who replied to you on this thread, and you expanded your threat to include "any other Chrome/Chromium dev [you'll] find online".

Now, I didn't have any part in this decision but I understand well and sympathize with the fact that it is upsetting you so much right now. I know the people involved found the decision hard to make and you can rest assured it wasn't made lightly. In fact, they are quite displeased having their hands forced this way. I just wanted to point out that the people who made that decision are not active on this mailing list so you are not likely to get many people to help you out if you start by threatening the ones that reply.

Also, what's missing from this discussion is what extension we are talking about, what it does and why it cannot be included in the webstore. Can you please elaborate?

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.

To post to this group, send email to chromium-...@chromium.org.
Visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/969ba360-d8f1-4a85-a6c1-73ffc64eda26%40chromium.org.

[Rajesh Katalkar]

Ohh...I didn't threaten anyone to sue...can you point me out that comment you thought I did......

Sent from LG

[David Mohl]

Rafal was the one talking about sueing people. Probably a mail mixup

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.

To post to this group, send email to chromium-...@chromium.org.

Visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/25ecda03-6da6-47de-ab80-7588085a716e%40chromium.org.
For more options, visit https://groups.google.com/a/chromium.org/groups/opt_out.

--
You received this message because you are subscribed to the Google Groups "Chromium-extensions" group.

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.

To post to this group, send email to chromium-...@chromium.org.

Visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/CAF3edMTmdnOwkYkuhtVNt4BB9ktvgVmnvaNuU39nPYFg7KgO7w%40mail.gmail.com.

For more options, visit https://groups.google.com/a/chromium.org/groups/opt_out.

--
You received this message because you are subscribed to the Google Groups "Chromium-extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To post to this group, send email to chromium-...@chromium.org.
Visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/969ba360-d8f1-4a85-a6c1-73ffc64eda26%40chromium.org.

For more options, visit https://groups.google.com/a/chromium.org/groups/opt_out.

--
You received this message because you are subscribed to the Google Groups "Chromium-extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To post to this group, send email to chromium-...@chromium.org.
Visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/CAF3edMTg54tsNGh0nvfen2%3Duk4ZKcC3yj5MN2H-p9WN55dwLaw%40mail.gmail.com.

[Rafał J]

It was no mix up. Google is killing my business, I will go bankrupt thanks to that extension decision alone. Also Chrome was open source, now it's "only Google", and nobody cares? Can't you people see that Google has changed from the loving company to a greedy corporation ready to profit on everything? Yeah, sure, let's calmly sit here and wait for an answer that'll be worthless, because it's not Chrome/Chromium team doing it, it's the head of Google! They've ruined Android Market, they're activly destroying YouTube and now it is time to ruin Chrome! You guys sit here, and talk, I'm going to rip back my livelihood from those bastards! Ohh, I was like you, I was sitting here, waiting for answers for months... They don't have them. Don't waste your time. 

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extensions+unsub...@chromium.org.

To post to this group, send email to chromium-...@chromium.org.

Visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/25ecda03-6da6-47de-ab80-7588085a716e%40chromium.org.
For more options, visit https://groups.google.com/a/chromium.org/groups/opt_out.

--
You received this message because you are subscribed to the Google Groups "Chromium-extensions" group.

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extensions+unsub...@chromium.org.

To post to this group, send email to chromium-...@chromium.org.

Visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/CAF3edMTmdnOwkYkuhtVNt4BB9ktvgVmnvaNuU39nPYFg7KgO7w%40mail.gmail.com.

For more options, visit https://groups.google.com/a/chromium.org/groups/opt_out.

--
You received this message because you are subscribed to the Google Groups "Chromium-extensions" group.

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extensions+unsub...@chromium.org.

To post to this group, send email to chromium-...@chromium.org.
Visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/969ba360-d8f1-4a85-a6c1-73ffc64eda26%40chromium.org.

For more options, visit https://groups.google.com/a/chromium.org/groups/opt_out.

--
You received this message because you are subscribed to the Google Groups "Chromium-extensions" group.

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extensions+unsub...@chromium.org.

[Rajesh Katalkar]

If you see my first post i was well aware of the policies and i would have threatened on day one if i had to.You guys abandon my threads without even checking who sent the mail.
This is a forum where everyone can post ...its  not limited to the author and the Google devs.
If you see my other threads i was working on porting my npapi to native messaging.
 Now i understand that this is the reason my new threads were not seen.I was fool to think that you guys may be busy somewhere ..What a shame.

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extensions+unsub...@chromium.org.

To post to this group, send email to chromium-...@chromium.org.

Visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/25ecda03-6da6-47de-ab80-7588085a716e%40chromium.org.
For more options, visit https://groups.google.com/a/chromium.org/groups/opt_out.

--
You received this message because you are subscribed to the Google Groups "Chromium-extensions" group.

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extensions+unsub...@chromium.org.

To post to this group, send email to chromium-...@chromium.org.

Visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/CAF3edMTmdnOwkYkuhtVNt4BB9ktvgVmnvaNuU39nPYFg7KgO7w%40mail.gmail.com.

For more options, visit https://groups.google.com/a/chromium.org/groups/opt_out.

--
You received this message because you are subscribed to the Google Groups "Chromium-extensions" group.

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extensions+unsub...@chromium.org.

To post to this group, send email to chromium-...@chromium.org.
Visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/969ba360-d8f1-4a85-a6c1-73ffc64eda26%40chromium.org.

For more options, visit https://groups.google.com/a/chromium.org/groups/opt_out.

--
You received this message because you are subscribed to the Google Groups "Chromium-extensions" group.

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extensions+unsub...@chromium.org.

[Rajesh Katalkar]

So any one back who can answer my query?...a few days to 2014 left. .........

Sent from LG

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.

To post to this group, send email to chromium-...@chromium.org.
Visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/2b73ea02-cdaa-4390-b643-b7618ba159e6%40chromium.org.

[Rahul Roy-chowdhury]

Rajesh - Antony responded to your queries on December 18th.  In response you asked two specific questions which I will answer below:

1) Antony is there any impact of "When the policy is in effect, extensions not hosted in the webstore will not be loaded by chrome. " on

 this "Developers will still be able to run unpacked extensions for development, but this isn't intended to be a mechanism for distribution to end users"

Answer:  As Antony said, anyone can still load unpacked extensions for development purposes.  However, we don't want this to become a distribution mechanism to end users.  If you're trying to gauge the feasibility of distribution an extension to your users by using this development flow, please don't do it.

2) Also with GPO can we host in on our webserver or it has to be on google store?

Answer: I believe Antony's answer was very clear on this front.  Enterprise policy managed chrome instances will still be able to run non-webstore extensions via ExtensionInstallWhitelist/ExtensionInstallForcelist. On windows these policies are loaded via the Group Policy API. 

If there are other aspects of extensions distribution that are still unclear, please ask specific questions and we will try to respond.

Thanks,

Rahul.

[Rajesh Katalkar]

Thanks Rahul for the response.

As you can see in my first I have said that my extension depends on native messaging host...But update of this can be taken care by webstore.
Plus we already support online updates for our software. .so we can basically update both the extension and native app If we load it manually.

Sent from LG

--
You received this message because you are subscribed to the Google Groups "Chromium-extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To post to this group, send email to chromium-...@chromium.org.
Visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/d370534c-eee7-4ce4-abcf-0784cc3f956d%40chromium.org.

[Rajesh Katalkar]

Typo error....I wanted to say that update of native app is not taken care off by webstore. ......

Can you guys add support for  editing of post's.

Sent from LG

[Antony Sargent]

FYI, there's a feature request open to let the native messaging host executable be easily distributed inside the extension directory and therefore update in lock step with it. We'd still require the user to run a one-time native program from a developer to configure this, but from then on all updates to the extension code and native code can be pushed through the web store. 

https://code.google.com/p/chromium/issues/detail?id=321628

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/CAF3edMSrZ5q%2Bsf1DNNYMsVVzMy3dFCPdQ4sdi8CJKhfnThAY8Q%40mail.gmail.com.

[Don Schmitt]

Hi Antony,

I see the bug has been marked as M-34, can you provide some visibility into what that means in terms of dates?  Any chance of expediting it?

This change would greatly improve how we upgrade users from NPAPI -> Native Messaging (i.e. a completely different installer that only configures the registry setting), and I expect a good number of us would like to wait for this change before upgrading our users.

But we are quickly approaching the May deadline when we have to remove NPAPI from the manifest, and if M-34 means the date when the release channel gets to version 34, I think that will leave us very little time to get our users upgraded.

Thanks!

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/CALwaUN%2BZ0e-qfVXLOjsrSoQPxqhsjBoZu_B%3DxVmK3cgCWXjKLQ%40mail.gmail.com.

[Rajesh Katalkar]

Don't know when will that happen. ..but I still would like a nonwebstore unpacked extension support like Firefox does...
and also support downgrade of extension. ...s.t any one can uninstall our software  and reinstall an old version in case of bad update of our software and also get old extension with that. ..not just the extension. ..but our package in general.

Another reason is that our extension cannot function without our software. ...the native app alone cannot do anything on its own.

Also we give the same extension to our clients with customization of ui only...so how will be distribute such oem customized extension f from your web store .we will need to repack them with diff extension Id. ...but the difference will only of ui...I.e images etc.

Sent from LG

[Antony Sargent]

Hey Don-

I'll ask around and see how likely it is that we could get it into chrome 34. In general we aim for releasing new versions out to stable every 6 weeks, so if you do the math I think that means M34 would likely land just about in time (see https://omahaproxy.appspot.com/ and https://omahaproxy.appspot.com/history). We try not to make any explicit guarantees about when versions will be released, and whether particular features will make it in, because it's common that bugs or UI/security/etc. problems delay things. On the plus side, this particular feature seems like it would be pretty simple to implement, but I don't feel particularly comfortable recommending you rely on it arriving in time, especially if it would be a big problem for you if it didn't. 

[Antony Sargent]

On Sun, Jan 5, 2014 at 7:59 AM, Rajesh Katalkar <rajesh...@gmail.com> wrote:

Don't know when will that happen. ..but I still would like a nonwebstore unpacked extension support like Firefox does...
and also support downgrade of extension. ...s.t any one can uninstall our software  and reinstall an old version in case of bad update of our software and also get old extension with that. ..not just the extension. ..but our package in general.

This case of allowing downgrades is an interesting one that we haven't talked a lot about, and I'll give some thought to whether there's anything we could do to accommodate it. In general the approach we've taken is to treat extensions like websites - every once and a while an update breaks something and the developer needs to fix it. This is clearly a downside of the "always do silent autoupdate" approach, but it is balanced by users getting things like new features and security fixes more promptly and easily. 

Another reason is that our extension cannot function without our software. ...the native app alone cannot do anything on its own.

Also we give the same extension to our clients with customization of ui only...so how will be distribute such oem customized extension f from your web store .we will need to repack them with diff extension Id. ...but the difference will only of ui...I.e images etc.

For customization, I'd say you have 3 options:

a) If your clients are enterprises with managed windows machines, they can use chrome enterprise policy. 

b) You can have multiple extensions on the store, one for each customization.

c) You can have one extension on the store, and it can use code to decide how to customize itself (eg downloading assets after install, etc.)

[Rajesh Katalkar]

Can you elaborate on how to achieve below

c) You can have one extension on the store, and it can use code to decide how to customize itself (eg downloading assets after install, etc.)

Also please put some thought on nonwebstore unpacked extension support..because with this everyone points to one directory.easy to maintain and control and update..and also when we uninstall our software as this directory gets absent it gets removed from chrome also, as for internal test we load unpacked extension using dev mode...trouble-free way to load extension ...

--
You received this message because you are subscribed to the Google Groups "Chromium-extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To post to this group, send email to chromium-...@chromium.org.
Visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/CALwaUNJH5pdUU63Fpc-ep7LASr%2By1RaDoOX3uqm_GUR7SN5F6w%40mail.gmail.com.

[Antony Sargent]

On Mon, Jan 6, 2014 at 11:51 PM, Rajesh Katalkar <rajesh...@gmail.com> wrote:

Can you elaborate on how to achieve below

c) You can have one extension on the store, and it can use code to decide how to customize itself (eg downloading assets after install, etc.)

Nearly everything in an extension can be dynamically changed. For example things like the browser action icon and tooltip can be changed with APIs. Any pages opened in tabs, or browser action popup windows, can use the same techniques any web page uses to customize content. 

You can store small amounts of data using chrome.storage.local / chrome.storage.sync, or html's window.localStorage, and larger amounts of data using html's indexedDb or sandboxed file / file system APIs. Data stored this way can then be used inside your pages to e.g. do string substitution in javascript similar to how you might do internationalization/localization for a regular web page. 

 

Also please put some thought on nonwebstore unpacked extension support..because with this everyone points to one directory.easy to maintain and control and update..and also when we uninstall our software as this directory gets absent it gets removed from chrome also, as for internal test we load unpacked extension using dev mode...trouble-free way to load extension ...

Unpacked extension support is intended only for developers, not end users. We'll soon be including a very prominent warning dialog at each chrome startup (in chrome builds where we're enforcing the "from webstore" restriction) recommending users hit a button in the dialog to disable all extensions loaded this way. This is to prevent malicious developers from using this as a way to push unwanted non-webstore extensions on users (it's easy for them, and even common today, to write the user's preferences file to make it appear as if they opted in to run them, so unfortunately we haven't come up with any way we could tell the difference between forced unwanted installs and installs a user actually wanted). 

[Hannes Carl Meyer]

Hi Antony,

can you tell with which Chrome version this "prominent warning dialog" will be introduced? 

This information about the warning dialog was already very useful for me. I thought all these extensions would be disabled "silently".

Best

Hannes

[Rajesh Katalkar]

Antony,
             About modifying the preference file, why don't you make use of sqlite  database and  save all preferences in encrypted style.I think you are already using sqlite for other purposes. ..
       For now I think I am left with only GPO style which supports non webstore extensions for deployment  ..we can host the crx on our online server.....
            

Sent from LG

[PhistucK]

How would you encrypt them in a way that cannot be decrypted?

By adding a master password to the browser? by forcing all Chrome users to sign into the browser?

Whatever mechanism you add that does not involve disturbing the user with some kind of a password can easily be worked around.

☆PhistucK

--
You received this message because you are subscribed to the Google Groups "Chromium-extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To post to this group, send email to chromium-...@chromium.org.
Visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/CAF3edMRrZJxqu_mGYuLjqPiRX0Awz0Qzas4g9b-0oC_tEDjPqg%40mail.gmail.com.

[Rajesh Katalkar]

Use your internal algo for this...whose source should not published...no need to ask user's any login etc....

Sent from LG

[PhistucK]

What would prevent the malicious extension authors from reverse engineering your internal algorithm?

The author can reverse engineer you encryption and decryption. Sure, it might take a few days, but it is totally possible.

☆PhistucK

[Rajesh Katalkar]

Extension coming from store or not. ..we all know it gets extracted in users profile directory...everything is visible. ..so how can you guarantee that no one will manipulate some other extension which was downloaded from webstore?

Sent from LG

[Rajesh Katalkar]

FYI ,I am telling Google to use its own algorithm...not individual extension developer to make one.

Sent from LG

[PhistucK]

Malicious authors will find the way to reverse engineer the algorithm. I believe Google would have done it if it were sufficiently secure.

☆PhistucK

[PhistucK]

You may have a point here. Antony?

☆PhistucK

[Antony Sargent]

My comments about the warning dialog only apply to unpacked extensions (ie the ones loaded for development via the "load unpacked extension" button on chrome://extensions). The code that shows this may be restricted to just run on the beta/stable channels though, so you may not be able to see it until chrome 33 goes to beta which should be sometime soonish. You can watch http://googlechromereleases.blogspot.com/ or https://omahaproxy.appspot.com/ to find out when that happens. 

--
You received this message because you are subscribed to the Google Groups "Chromium-extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To post to this group, send email to chromium-...@chromium.org.
Visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/2050f48c-0dbf-4bce-8798-5f0e1312ffc8%40chromium.org.

[Antony Sargent]

Yeah, doing any sort of encryption of settings that doesn't involve a master password known only to the user could be pretty easily worked around, and forcing the user to enter a master password on every start of chrome would be a pretty bad user experience.  

We've also considered the attack of modifying the contents on disk of another extension, and will have some defenses to mitigate that.

[Rajesh Katalkar]

Antony,
              If you do encryption, then there is no need to force extension to be in webstore. ...

Sent from LG

[Rajesh Katalkar]

There are so many powerful algorithms developed for this...but if you still think that Google cannot do it...then what  is the guarantee of our mail accounts and data on your sever. ...This means even our gmail account  is insecure.

Sent from LG

[PhistucK]

The data is on the GMail server. It is much harder to crack than on a local environment.

Everything can be cracked, but it will be much harder when it is not in an environment you can control.

☆PhistucK

[Rajesh Katalkar]

Antony ,I think Google has not yet released the new version which will force the webstore policies ...so are you going to give a second thought
to encryption for this .

☆PhistucK

☆PhistucK

☆PhistucK

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extensions+unsub...@chromium.org.
To post to this group, send email to chromium-extensions@chromium.org.

Visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/.

[Rob Wu]

Rajesh,

You seem to be missing the point of Antony's and PhistucK's earlier remarks.
Encryption is not a magic wand. In order to encrypt and decrypt something, two things are needed:
1. An algortihm
2. An encryption key

Encrypting the extension settings the user's computer cannot be effective, because Chrome needs access to the unecrypted preferences to operate well.

If data is encrypted, Chrome needs to have a key to decrypt the data. There are two possible implementations:
1. Ask the user to provide the key (or the pass phrase that protects the cryptographic key).
2. Retrieve the key from a known source, e.g. the disk or hard-coded in the source code of Chromium.

Either implementation is sub-optimal:
1. Requesting a password from the user every time Chrome starts is a major inconvenience.
2. Method 2 adds no extra protection, because any malicious developer can also use the same methods (since the key and data reside in the same environment, available to the attacker).

Ultimately, it's the user's responsibility to not install trash on their system.

Kind regards,
 Rob
 https://robwu.nl

[Rajesh Katalkar]

Adding other's,

copying Antony's resonse as it too low...you can just check his last comment in this thread..or just two comment below when you commented on this...

<<<<>>>>>>
On Jan 11, 2014 1:53 AM, "Antony Sargent" <asar...@chromium.org> wrote:
                       Yeah, doing any sort of encryption of settings that doesn't involve a master password known only to the user could be pretty easily worked around, and forcing the user to enter a master password on every start of chrome would be a pretty bad user experience.  

We've also considered the attack of modifying the contents on disk of another extension, and will have some defenses to mitigate that.

<<<<<<>>>>>

On Sun, Jan 12, 2014 at 7:30 PM, Rob Wu <robw...@gmail.com> wrote:

(FYI, you've just replied directly to me, we've left Google groups)

2014/1/12 Rajesh Katalkar <rajesh...@gmail.com>

Rob,
I also said that algo and key should be internal to google choice ,so said you don't have to prompt.

If the key and algo are internal to Google, then the user is basically locked out of Chrome when he doesn't have an internet connection (because if the key is stored on Google's servers, then internet is required to unlock the browser). This is an unacceptable situation.

 

Also see Antony's first point where he agrees that this is possible.

Please quote him. I didn't see anything that implied that encryption would solve the problem.

 

Also current policy is only going to protect the path from where the extension gets installed ...But the installed extension is still left unprotected.Anyone can manipulate and exploit it.
Even by putting some protection on installed extension ,it can still be cracked by malicious developer as it is local, right?

If you run an untrusted malicious program on your computer, then you're screwed already. Even more if it's run as Administrator / root. In the worst case, one could also replace the Chrome binary with a modified Chrome browser?

But this does not mean that encryption is useless.

With all respect, do you understand the basic principles of (symmetric) encryption and key management? If not, do a bit of research on the topic. It's an interesting subject.

 

    I know encryption very well ...But just forcing everyone to throw there extension on webstore where the installed extension can still be manipulated ....and the reason this policy was made was because your preferences are visible and editable   ....
But the the users system can still be screwed ...So how smart is that ,to make such a useless policy where you think you have given the world the ultimate solution to protect there machines.

--

You received this message because you are subscribed to the Google Groups "Chromium-extensions" group.

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.

To post to this group, send email to chromium-...@chromium.org.

Visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/c8f14909-abfa-4dcd-abe7-c9692e8d1977%40chromium.org.

[Rajesh Katalkar]

    I know encryption very well ...But just forcing everyone to throw there extension on webstore where the installed extension can still be manipulated ....and the reason this policy was made was because your preferences are visible and editable   ....
But the the users system can still be screwed ...So how smart is that ,to make such a useless policy where you think you have given the world the ultimate solution to protect there machines.

<<<<<<>>>>>

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extensions+unsub...@chromium.org.

To post to this group, send email to chromium-extensions@chromium.org.

Visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/.

[Rob Wu]

Hi Rajesh,
I think that you've misinterpreted Antony's comment. What I said is basically the same as what he said.

Yeah, doing any sort of encryption of settings that doesn't involve a master password known only to the user could be pretty easily worked around,

means: "encryption is useless, unless a user-provided password is used" (this is my point 2)

and forcing the user to enter a master password on every start of chrome would be a pretty bad user experience.

 is self-explanatory (this is my point 1)

@Antony, do you have a crbug link for "We've also considered the attack of modifying the contents on disk of another extension, and will have some defenses to mitigate that."?

Kind regards,
 Rob
 https://robwu.nl

[Rajesh Katalkar]

On this thread " A few clarifications on Googles recent announcemnt on chrome extensions",
Someone named Finnur said that third part servers will be obsolete. ..so GPO with non webstore is going to work or not. ......This is getting confusing now.....

Sent from LG

On Dec 28, 2013 1:40 AM, "Rahul Roy-chowdhury" <rah...@chromium.org> wrote:

Rajesh - Antony responded to your queries on December 18th.  In response you asked two specific questions which I will answer below:

1) Antony is there any impact of "When the policy is in effect, extensions not hosted in the webstore will not be loaded by chrome. " on

 this "Developers will still be able to run unpacked extensions for development, but this isn't intended to be a mechanism for distribution to end users"
Answer:  As Antony said, anyone can still load unpacked extensions for development purposes.  However, we don't want this to become a distribution mechanism to end users.  If you're trying to gauge the feasibility of distribution an extension to your users by using this development flow, please don't do it.

2) Also with GPO can we host in on our webserver or it has to be on google store?

Answer: I believe Antony's answer was very clear on this front.  Enterprise policy managed chrome instances will still be able to run non-webstore extensions via ExtensionInstallWhitelist/ExtensionInstallForcelist. On windows these policies are loaded via the Group Policy API. 

If there are other aspects of extensions distribution that are still unclear, please ask specific questions and we will try to respond.

Thanks,

Rahul.

--
You received this message because you are subscribed to the Google Groups "Chromium-extensions" group.

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To post to this group, send email to chromium-...@chromium.org.

Visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/d370534c-eee7-4ce4-abcf-0784cc3f956d%40chromium.org.

[Antony Sargent]

@Antony, do you have a crbug link for "We've also considered the attack of modifying the contents on disk of another extension, and will have some defenses to mitigate that."?

I'd rather not go into more details about this yet.  

[Antony Sargent]

On Mon, Jan 13, 2014 at 10:39 AM, Rajesh Katalkar <rajesh...@gmail.com> wrote:

On this thread " A few clarifications on Googles recent announcemnt on chrome extensions",
Someone named Finnur said that third part servers will be obsolete. ..so GPO with non webstore is going to work or not. ......This is getting confusing now....

Rajesh - I don't quite understand this question. Can you please start a new thread here on chromium-...@chromium.org with a little more detail? This thread is getting a little difficult to follow.

 

[Rajesh Katalkar]

Check this thread. ..last comment of Finnur where he says that third part servers will get obsolete for windows....

https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/CAB2L5-YKtrP5TRkC%3Dr3y6SncWam3y8pU_1EF_01Xz0n%2Buiu5-Q%40mail.gmail.com

I there are already new threads started by others also. .as everyone has questions for deployment. ..so making new ones will just clutter it.......
Sent from LG

[Rajesh Katalkar]

Antony check my last comment and please confirm whether non-webstore GPO will work or not.

[Mihai Coman]

Rajesh,

"I suppose that hosting on 3rd party servers will be obsolete." the statement was made by me (I'm in no way affiliated to the Chrome project - I'm just an extension developer trying to figure things out); I haven't heard of any indication that GPO will cease to support extensions not hosted in CWS - actually, to my understanding, the opposite is true: GPO should remain one of the ways to work around the new security measures - you should be able to continue to use GPO to load local or hosted on 3rd party servers extensions using enterprise policies.

[Finnur Thorarinsson]

Rajesh,

My answer on the other thread (to Mihai's question) was incomplete and therefore mislead you. I apologize for that and have updated my answer (on that thread) to clarify. 

Basically, enterprise (GPO) installs are not affected by this new restriction, and as I recall they could use a 3rd party server, so it looks to me like that will still be a supported use case.

--
You received this message because you are subscribed to the Google Groups "Chromium-extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To post to this group, send email to chromium-...@chromium.org.
Visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/4e61f90d-651e-4d52-963b-c241ea1678a2%40chromium.org.

[Antony Sargent]

Yes, for enterprises with GPO managed machines, policy based installs using GPO on those machines is explicitly still supported.

[Rajesh Katalkar]

Thank you all to confirm this.I hope all this info is updated in extension development help documents also.

Sent from LG

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/CALwaUNL%3D0z9Jmh0uaXyjvrMMhpboG1kkXoi%3DPv5OD02Dkem%2BYw%40mail.gmail.com.

[Rajesh Katalkar]

One more suggestion for protecting preferences...
you can make some internal format to store data and store it in binary format...and encrypt it if you want...If you guys still think this can be cracked easily. ..ignore this comment as I don't want to argue on this any more.

Sent from LG

On Jan 14, 2014 12:30 AM, "Antony Sargent" <asar...@chromium.org> wrote:

@Antony, do you have a crbug link for "We've also considered the attack of modifying the contents on disk of another extension, and will have some defenses to mitigate that."?

I'd rather not go into more details about this yet.  

--
You received this message because you are subscribed to the Google Groups "Chromium-extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To post to this group, send email to chromium-...@chromium.org.
Visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/CALwaUNKs9GU%2BzRz2N1dqYea2xVb1btMZ3%3DnSMYDm0%2BQpNVu6ew%40mail.gmail.com.

[Rajesh Katalkar]

I used GPO to install and remove extension from our server and it works fine.also tried update of the same extension from our server and it worked fine.But i have to click update extension now from developer mode to verify this because i think chrome does not check updates on every launch.Why is this not per extension specific and why hidden in developer mode.

Please confirm that updates of extension installed by GPO will continue to work with third party server also.

[Finnur Thorarinsson]

The auto-update mechanism is not tied to Chrome launching, at least not last time I checked. For the webstore Chrome periodically checks for new versions every few hours and I believe it is no different for GPO installed extensions.

That would be as designed. You should probably try an update and wait longer.

> .Why is this not per extension specific and why hidden in developer mode.

I don't understand what you mean by this not being "per extension specific" but the reason why it is tucked into developer mode is exactly because only those who are developing and deploying extensions care about manually updating. The rest of the users are on the automatic train.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/CAF3edMTqNKN80w0B8CYjEOdmcncTKwYAv3dKY4zvO7aEvLgiLw%40mail.gmail.com.

[Rajesh Katalkar]

I am using non-webstore deployment using GPO style and it works fine,..also the update url in manifest points to non-webstore....I can click updatenow from developer mode and it also updates....never checked automatic update yet as it takes time according to chrome internal logic..
I was browsing the policies and getting info about it...There is a policy name "ExtensionInstallSources" ...Do i need to set this also as i am using non-webstore updates also....

Please confirm urgently...

[Rajesh Katalkar]

One more thing to add..I set GPO with windows api...  on a standalone machine....and it works fine.....As using GPO this is should is fine. .right?

Sent from LG

[Rajesh Katalkar]

please update me on this as we am providing GPO based extension and online updates to users like this...they are all standalone users and we host it on our online server...

on following link "http://www.chromium.org/administrators/policy-list-3" following is mentioned....We are making it only available to users who install our software .....

These policies are strictly intended to be used to configure instances of Chrome internal to your organization. Use of these policies outside of your organization (for example, in a publicly distributed program) is considered malware and will likely be labeled as malware by Google and anti-virus vendors.

[Rajesh Katalkar]

Please see my two posts above and please respond

[Antony Sargent]

You'll need to add the id's to ExtensionInstallWhitelist, but you do not need to set ExtensionInstallSources unless you want users to be able to install manually from a link to a .crx file from an url matching one of your patterns in ExtensionInstallSources. 

It is likely that standalone GPO policies just set on a single machine will not continue be supported, and we will require that policies be pushed by a server ; otherwise this can be abused by malware. 

[Chris Naegelin]

Something to consider: having worked in the security field for over a decade I can tell you first hand that adding complexity to a problem has never stopped malware makers. The nature of Microsoft’s win32 APIs will not make such a change (to require a server pushed GPO)  any less trivial to drop “malware extensions". There are other approaches to solving the issue if there truly is an interest in keeping an active extension environment that is not prone to malware (Requiring signed extensions issued by chrome store with better chrome store app screening would be one example). Empowering developers with tools to monetize their extensions (beyond just google wallet) would also go a long way in steering the ship in the right direction. But that’s just my opinion :) 

-- 

Chris

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/CALwaUNJQpOoT%3DPyCaFpzAG0Qm0j%3DD9eR5fVZUJ328C7%2BsVuWgg%40mail.gmail.com.

[Rajesh Katalkar]

I want to support extension to users who download our software .So can GPO be useful here. .?
What options do I have?. ..any non webstore options?
I can provide online server for extension. ..

Sent from LG

[Antony Sargent]

Chris - Thanks for your thoughts - I agree. Right now we're trying to steer folks in the right direction from an abstract policy perspective, and the technical measures we have to enforce this may (and probably will) need to change. 

[Antony Sargent]

On Mon, Feb 3, 2014 at 9:32 AM, Rajesh Katalkar <rajesh...@gmail.com> wrote:

I want to support extension to users who download our software .So can GPO be useful here. .?
What options do I have?. ..any non webstore options?

Unfortunately for windows stable/beta, we do not intend to support any options other than installing from the webstore or actual enterprise deployments. Again, I very much wish this were not the case, but we feel the bad actors in the ecosystem are taking that option away by abusing it to force extensions on users that they didn't want.