Exe file in chrome extension, for some allowed, for some don't

[Martin Mravec]

Hello,

I would like to ask you, is there anybody, who also has exe file in chrome extension ? My extension is using native messaging api to communicate with my windows app. It was working more than half year without any problems, but few days ago, I received message about removal my extension and the reason was:

• All of the files and code are included in the item’s package.
• All code inside the package is human readable (no obfuscated or minified code).
• Avoid requesting or executing remotely hosted code (including by referencing remote javascript files or executing code obtained by XHR requests).

It is probably because of exe installer, which is inside the package. But when I removed it and replaced it with the download link to my website, it probably broke the last rule. So I am not sure, how to do this. Also I am not sure, why there is native messaging api, when I can't have installer for app, which is using it.

But it is very interesting, that IE Tab (https://chrome.google.com/webstore/detail/ie-tab/hehijbfgiekmjfkfjpbkbammjbdenadd - more than 3 millions downloads) has the exe file inside the package, but there are still in the store. Btw I was using the same way to distribute exe file in the extension.

It looks like, that rules are not apply for everyone.

[Antony Sargent]

You'll need to contact webstore support for more information on the official policy, but I think the intention for extensions with native messaging hosts is that you provide an entirely separate, standalone installer program that installs your native messaging host executable and associated registry entries, and that you distribute this via some facility outside of your extension (eg a direct download link on your website). Your extension in the webstore should not contain any native executable code. 

--
You received this message because you are subscribed to the Google Groups "Chromium-Extensions-Announce" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To post to this group, send email to chromium-...@chromium.org.
Visit this group at https://groups.google.com/a/chromium.org/group/chromium-extensions/.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/78d9af29-697a-440a-9169-24d4c58b0167%40chromium.org.
For more options, visit https://groups.google.com/a/chromium.org/d/optout.

[Tony BenBrahim]

I have the same problem with a native messaging extension, I did not include the setup.exe, but had a webpage to download it, similar to the way done in the Cisco Webex extension.

I am not sure what happened, but it looks like they changed their scanning algorithm, as my extension was removed last Friday after more than a year in the Chrome store. 

In any case, it apparently has nothing to do as to whether the executable is inside or outside the package.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/CALwaUNKAPnSyKa1yjbPeyJ6vwWYJHAnk7ET--8-7fBdWbpijqA%40mail.gmail.com.

[Tony BenBrahim]

So today, I get another take down notice for the same extension, this time with different justification:

Packaged and Hosted apps should not:

* Require a local executable, other than the Chrome runtime, to run.

* Provide a webview of a website that is not owned or administered by you.

* Download or execute scripts dynamically outside a sandboxed environment such as a webview or a sandboxed iframe.

* Misuse notifications by sending spam, ads, promotions of any kind, phishing attempts, or unwanted messages in general.

Of course, I have an extension, not a package app and not a hosted app. If the first point applies to extension, I guess that rules out native messaging?

[Dhivakaran k]

Dear Martin Mravec,

   I done one extension for kill teamviewer and anydesk like that screen sharing exe files while running my website.KIndly help on this im stract with this .is there any way to stop screen sharing  while running my website.?

[Hr Gwea]

I have also noticed this arbitrarity when it comes to including a native executable in the extension package. Some extensions do include executables, while at the same time the guidelines suggest that you should not do so.

I read once in the comments of some Chrome bug report how two Google engineers were discussing about the advantages of including the executable in the package. One of them mentioned that by allowing the executable in the package, they could take advantage of the CWS automated virus and security checks for scanning the executable too.

Given the fact that there actually are packages with .exe files inside, I would say that the CWS team is not clear about whether to allow or disallow this practice.

@Tony BenBrahim,  the notice you got saying "Packaged and Hosted apps should not Require a local executable, other than the Chrome runtime, to run".

That notice is clearly bogus. Policies for Apps do not apply to extensions and vice versa.

Apps are not even allowed in the webstore anymore, so it doesn't make sense that they are trying to enforce those policies.

[Ross Presser]

To be perfectly honest, if you even want to block screen sharing while viewing your website, then your website is never going to be visited by me or those like me.

[Simeon Vincent]

There appears to be a good bit of confusion going on here. First, Dhivakaran resurrected a 4 year old thread with an unrelated question. Dhivakaran, this discussion group is for developers creating browser extensions for Chrome, so this is very off topic. In any case, I'm not aware of any browser that allows users to block screen recorders from seeing the content of a web page.

Hr, the comment by Tony that you're responding to is over 4 years old. I'd strongly recommend against distributing binaries as part of a Chrome extension as the extension would have to contain binaries for every platform you want to support. This would unnecessarily bloat extension's distributable and would require releasing (and forcing end users to download) new versions of the extension when you update the binary. Additionally, an executable bundled the extension wouldn't work by itself. You'd need some other application on the system to properly register the binary inside the extension with the host OS. Theoretical benefits aside, this strikes me as a clear misuse of the extension platform.

And with that, I kindly ask that we let this very old thread return to quietly resting in the archives.

Cheers,

Simeon - @dotproto

Extensions Developer Advocate