Remote scripts in extensions
82 views
Skip to first unread message
Jack Rockman
Feb 4, 2014, 2:08:36 AM2/4/14
to chromium-...@chromium.org
Is it allowed to inject remote java-scripts into web-pages with an extension? I saw in Policy that it's prohibited for packed apps, what about extensions?
Joe Marini
Feb 4, 2014, 10:50:27 AM2/4/14
to Jack Rockman, Chromium-extensions
No, all code has to be local. External script injection will be flagged and the extension will be taken down.
On Mon, Feb 3, 2014 at 11:08 PM, Jack Rockman <shinyp...@gmail.com> wrote:
Is it allowed to inject remote java-scripts into web-pages with an extension? I saw in Policy that it's prohibited for packed apps, what about extensions?
--
You received this message because you are subscribed to the Google Groups "Chromium-extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To post to this group, send email to chromium-...@chromium.org.
Visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/b869ee00-1b91-4122-9e2c-288bf092b1eb%40chromium.org.
For more options, visit https://groups.google.com/a/chromium.org/groups/opt_out.
Joe Marini
Developer Advocate / Chrome Apps, Extensions, Web Store
Message has been deleted
Joe Marini
Feb 6, 2014, 2:05:08 PM2/6/14
to david....@dealerspike.com, Chromium-extensions
I believe so. The whole point of having the extensions in the store is so that they can be scanned for malware.
On Wed, Feb 5, 2014 at 10:10 AM, <david....@dealerspike.com> wrote:
Does this limit on external scripts also apply to private extensions in the web store?
On Tuesday, February 4, 2014 7:50:27 AM UTC-8, Joe Marini wrote:
No, all code has to be local. External script injection will be flagged and the extension will be taken down.
On Mon, Feb 3, 2014 at 11:08 PM, Jack Rockman <shinyp...@gmail.com> wrote:
Is it allowed to inject remote java-scripts into web-pages with an extension? I saw in Policy that it's prohibited for packed apps, what about extensions?
--
You received this message because you are subscribed to the Google Groups "Chromium-extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extensions+unsub...@chromium.org.
To post to this group, send email to chromium-...@chromium.org.
Visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/b869ee00-1b91-4122-9e2c-288bf092b1eb%40chromium.org.
For more options, visit https://groups.google.com/a/chromium.org/groups/opt_out.
--Joe MariniDeveloper Advocate / Chrome Apps, Extensions, Web Store
--
You received this message because you are subscribed to the Google Groups "Chromium-extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To post to this group, send email to chromium-...@chromium.org.
Visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/3124a30f-0044-457e-9203-27faf0e1fbcd%40chromium.org.
David Sexton
Feb 6, 2014, 2:42:23 PM2/6/14
to Joe Marini, Chromium-extensions
This is problematic for our company. We are contractually obligated to provide a service (which we do via a Chrome extension). However, we are also not allowed to share the source code with non-contract partners (for example Google). Since our contract partners are almost entirely on non-domain Windows instances, the new rules basically force us to have our extension in the Chrome web store. Enterprise GPO is not an option since these machines are not on a domain, and we do not control the IT infrastructure of these partners. Additionally, another post here (https://groups.google.com/a/chromium.org/d/msg/chromium-extensions/FLOiwdIzDXA/pGEh1uXRRywJ) specifies that "It is likely that standalone GPO policies just set on a single machine will not continue be supported, and we will require that policies be pushed by a server ; otherwise this can be abused by malware.".
We planned to navigate this minefield by loading a stub extension in to the web store as a private extension. Then that stub would load the core logic of the extension from our servers. We felt that this would be adequate (and more than reasonable) since 1.) it is a private extension and 2.) we have a business contract in place with everyone who would be able to install and use this extension. However, if private extensions cannot load remote scripts, we're dead in the water with this idea.
The only reasonable options we have past this are to actually make our partners computers less safe by either moving them to Canary/Nightly (where the in-store check doesn't appear to be applicable) or have them disable the check entirely via command line parameters when starting Chrome. Neither of these sound good to us since we want our partners to be safe just as much as the Chromium team does.
Do you have any thoughts on other alternatives that might be available for a B2B extension such as ours (private listing, contractual obligations (including the right to sue if for example we were to put malware in the extension), etc)?
Thanks in advance
From: "Joe Marini" <joem...@google.com>
Sent: Thursday, February 06, 2014 11:07 AM
To: david....@dealerspike.com
Cc: "Chromium-extensions" <chromium-...@chromium.org>
Subject: Re: [crx] Remote scripts in extensions
We planned to navigate this minefield by loading a stub extension in to the web store as a private extension. Then that stub would load the core logic of the extension from our servers. We felt that this would be adequate (and more than reasonable) since 1.) it is a private extension and 2.) we have a business contract in place with everyone who would be able to install and use this extension. However, if private extensions cannot load remote scripts, we're dead in the water with this idea.
The only reasonable options we have past this are to actually make our partners computers less safe by either moving them to Canary/Nightly (where the in-store check doesn't appear to be applicable) or have them disable the check entirely via command line parameters when starting Chrome. Neither of these sound good to us since we want our partners to be safe just as much as the Chromium team does.
Do you have any thoughts on other alternatives that might be available for a B2B extension such as ours (private listing, contractual obligations (including the right to sue if for example we were to put malware in the extension), etc)?
Thanks in advance
From: "Joe Marini" <joem...@google.com>
Sent: Thursday, February 06, 2014 11:07 AM
To: david....@dealerspike.com
Cc: "Chromium-extensions" <chromium-...@chromium.org>
Subject: Re: [crx] Remote scripts in extensions
Scott Fujan
Feb 6, 2014, 2:56:07 PM2/6/14
to David....@dealerspike.com, Chromium-extensions, Joe Marini
Just throwing this out there: you could encrypt your sensitive code, include it in the extension, then obtain the decryption key from the server.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/2d5b174e%2475553d57%244f48407a%24%40dealerspike.com.
Joe Marini
Feb 6, 2014, 2:57:01 PM2/6/14
to Scott Fujan, David....@dealerspike.com, Chromium-extensions
You could also build it as a Native Client module and include the compiled code in the extension.
Reply all
Reply to author
Forward
0 new messages