How to "Load unpacked extension" from command line

[Bruno Leonardo Michels]

Since the bullshit changes for stupid users are coming next year, I need an alternative way to allow my users to use my extensions.

Asking them to do it all manually is really boring. Perhaps there is a way to load it if I put the extension in some folder? Then I could create a installer?

I don't know how I am going to deal with it. Maybe I will just ask everyone (400k+ mixed ff/chr users) to migrate to Firefox. This last alternative seems better... hm...

[Joao da Silva]

I may be missing something; why not publishing the extensions in the webstore?

--
--
Chromium Developers mailing list: chromi...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-dev

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-dev...@chromium.org.

[Bruno Leonardo Michels]

Disagree

https://ssl.gstatic.com/chrome/webstore/intl/en/gallery_tos.html

Disagree

http://www.google.com/intl/en/policies/privacy/

What now?

[Bruno Leonardo Michels]

It is not only me that will suffer with this.

Youtube Options FULL

and other extensions

will also suffer.

You are doing a change that will affect many users and don't even know... or care...

I know that there is a lot of malicious extensions around, but what options do you leave for geniune people? Only the lame WebStore where you restrict many thing and have dumb policies.

I don't know what to do, I will have to ask users to load unpacked extensions... That is the only way I could find out.

On Wednesday, November 20, 2013 2:05:33 PM UTC-2, Joao da Silva wrote:

[Jeffrey Yasskin]

Just in general, when y'all say that you can't put your extensions in
the store because of "the ToS and privacy policy", it would be really
helpful if you'd lay out the exact terms that your extension can't
meet and why. The whole policy change is a delicate tradeoff between
protecting users from malware without preventing too many legitimate
extensions from existing. For example, the enterprise policy exception
is an attempt to keep allowing a big class of legitimate extensions
that can't go into the store. If you (collectively) tell us about
another class of extensions that can't go in the store, it's possible
we can think of a systematic way to allow them too. (Unfortunately, we
already know about the class of extensions that enable both fair use
and copying of youtube videos, and couldn't think of a way to enable
them beyond "use the dev channel or non-Windows", but maybe there are
other classes.)

To answer your question directly, we can't make it easy to load an
extension unpacked from the command line because malware can easily
modify the user's command line without asking the user first. It needs
to be hard for malware to work around the restrictions, or there's no
point.

On Wed, Nov 20, 2013 at 8:31 AM, Bruno Leonardo Michels

[Mike Frysinger]

protip: when asking an open source project for free assistance, you might want to adjust your attitude to not be combative from the outset.  it makes people inclined to auto-mute you.

-mike

[Bruno Leonardo Michels]

I realize that, as I knew from the start that it would be likely impossible and I wouldn't get a workaround answer even if there is still a hole in security.

I am just pissed (AGAIN) with the path Chrome decided to take. And I am not holding back what I think of this bullshit. Someone had to say it, wake up already.

Without options I am now inclined to drop Chrome.

Anyway, no one cares, but I had to take it out my chest.

w/e

bye

[Matt Perry]

Actually, we do have a command line flag: --load-extension=<path-to-unzipped-crx-folder>

I don't know whether we plan to remove this as part of the anti-malware push, though. And either way, I wouldn't recommend it as a way for regular users to install an extension, because it's designed for developers only. It's missing things like autoupdate, and it's slightly slower to load.

--

[Achuith Bhandarkar]

--load-extension/--load-component-extension are necessary for cros autotests. I hope there's no plan to deprecate these.

[James Robinson]

On Wed, Nov 20, 2013 at 7:58 AM, Bruno Leonardo Michels <brun...@gmail.com> wrote:

Since the bullshit changes for stupid users are coming next year

This is an inappropriate way to start an email to this list.  Please find a better way to phrase things or if you cannot refrain from posting to this list.

- James

[Jeffrey Yasskin]

I disagree. We're doing something that hurts many of our users. They
have a right to be angry. It's our responsibility to listen to the
substance under the anger, rather than dismissing them just because
their tone is wrong.

[James Robinson]

I'm not dismissing the substance of the message.  The tone is unacceptable regardless of the merits of the substance.

- James

[Justin Schuh]

James is right. This list is chromium-dev, not chromium-vent. While we all appreciate that some changes are controversial, that's not a justification to use this list to hurl insults and veiled threats. Moreover, it's not like anyone involved is happy that the malware situation has grown bad enough to have forced us to inconvenience some extension developers.

What would be helpful is substantive answers as to what the issues are with the CWS policies. Or really, just any productive discussion on determining a viable long-term solution. Because my expectation is that most (all?) straight-forward local install vectors will need to be closed or significantly impeded as they are identified and exploited by malware authors.

-j

 

- James

[Will O'Brien]

Was there any word on whether or not these are or will be deprecated? peter.sh still shows them, but i'm not sure how often that list is updated.

Im trying to create a simple Makefile to install/uninstall my extension

install:

»·google-chrome --load-extension=$(shell git rev-parse --show-toplevel) --silent-launch

uninstall:

»·google-chrome --uninstall-extension=$(shell ./scripts/get-extension-id) --silent-launch

uninstall seems to work fine - but --load-extension appears to be failing silently. If this is not the place to ask this, I'd appreciate someone orienting me :)

-- Will

[Alain Kalker]

On Wednesday, November 20, 2013 6:01:01 PM UTC+1, Jeffrey Yasskin wrote:

To answer your question directly, we can't make it easy to load an
extension unpacked from the command line because malware can easily
modify the user's command line without asking the user first. It needs
to be hard for malware to work around the restrictions, or there's no
point.

I'm honestly sorry have to do what I'm about to do in my very first post in this group, but I have to call bullshit on this one. Not because I like throwing words like that around much, but because I've heard too many arguments like the one quoted above.

If malware gets access to an user's command line, this means that the perps basically pwned the machine. Almost universally true for Windows, on other OSes they may need to replace the user's login script to gain root the moment the user uses something like `sudo`.

Making it hard(er) to launch unpacked apps/extensions isn't going to mitigate the malware threat (malware can still use any of the automated browser test frameworks out there to launch whatever they want, even going as far as replacing the browser itself), it's just going to piss off developers.

I don't think Chrome/Chromium should branch out into the antivirus trade, there's other apps for that.

-Alain

[Julie May]

is --load-extension enabled or disabled at this point?

It errors out silently, which is painful. I have not been able to get it to work, but then I could have the wrong syntax. Also, the CRX has to be unpacked? Doesn't that create multiple folders? 

[Antony Sargent]

Hi Julie-

--load-extension is still supported and should be working the same as it always has, unless there is a new bug. One common problem people can run into when trying to run with command line flags is that you must ensure all other running chrome processes have shut down (usually using the 'Exit" command from the menu is sufficient to ensure this), including any background apps. Maybe you were hitting this too?

 

[Julie May]

Might be, trying to start a new profile though.  If this still applies, that might be the issue.  I think I have Google Drive, Hangouts, and mail notifier running. At least hangouts is a background app. 

Thanks, I'll give this a try

[Julie May]

Tried a new profile, unpacked extension, and every conceivable way that I know of to write the directory structure. It still doesn't load the extension.

Is there a project with the working syntax somewhere? If there is then I could make sure I'm not the one causing the error. If not, then I'll file the bug.

Julie May CEO, Anitography Solutions Inc. Phone: +17804491509 Cell: +17809187246 12211-83 Street NW, Edmonton, AB, T5B 3A1 +JulieMay | +AnitographySolutions  Anitography Solutions | jam...@gmail.com

[PhistucK]

Post the full command line here and we can check for issues.

☆PhistucK

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-dev...@chromium.org.

[Achuith Bhandarkar]

Telemetry uses --load-extension. The unit tests exercise this use case and are passing.

To see this in action, you can do:

src/tools/telemetry/run_tests testExtensionBasic. 

Telemetry should launch a browser using --load-extension and execute some javascript in the context of this extension.