Running Windows Applications via Chrome Bookmark.

[Huseyin Yigit]

Hi Everyone,

I use Google Chrome Bookmark heavily. My favorite part is that I can use it synchronously between my computers. I am in a software development team and I have to manage a large number of shortcuts for many customers. 

I added the Windows application shortcuts to the bookmark in the form of file: //. But instead of running them in Windows environment, Chrome brings the file download manager. 

Especially being able to store remote desktop connections on the Google Chrome bookmark would be a great feature.

I tried developing a Google Chrome Extension for this. However, the Bookmark API does not offer an OnClick event. 

I have defined a special protocol handler as remotedesktop: //. But whenever I call this up via Bookmark, it asks me to allow it. I can understand this behavior in terms of security.

The best possible improvement would be that file:// shortcuts can open Windows applications directly. Thus, we can create shortcuts as we want via the command line.

I wasn't sure how I could get this idea to the Chrome development team. I found this place as the most suitable place. If you have support and guidance I would be happy to hear.

I wish you all a healthy day.

[PhistucK]

That would be prone to abuse (any website could just launch native applications).

You can create an extension that exposes a URL, say, chrome-extension://extension-ID/launch-application. This page will accept query string parameters, for example, ?name=Word.

Note - It should make sure that the referrer is empty (in order to make sure the user clicked on a bookmark and not a website navigated to this URL, though I am not sure this check is very secure, you might be able to use a service worker in your extension and make sure the sec-fetch-site is none, if that is accessible).

The page can then use native messaging to tell a locally installed native application (should be installed on a computer along with the extension) to launch the relevant application.

Note - why a ?name=Word and not a ?path=path/to/winword.exe? To narrow the attack surface, in case someone manages to spoof the request from a website and cause harm to the user. You create an allow-list in your extension and in your native messaging host, which is a minimal and basic protection against arbitrary launches.

It would be nice to also have some user-unique salted hash in the URL that should be passed to and get verified by the native messaging host, which provides another defense against arbitrary activation.

I imagine/realise this is a bit more than you had hoped, but this kind of feature can be a can of worms you do not want to open so easily.

☆PhistucK

--
--
Chromium Discussion mailing list: chromium...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-discuss

---
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-discu...@chromium.org.

[Huseyin Yigit]

Thank you for the detailed answer. However, the main focus is not on extensions, but on using shortcuts in the bookmark.

I think a shortcut placed in the bookmarks by me should not cause a security concern.

18 Şubat 2021 Perşembe tarihinde saat 22:08:41 UTC+1 itibarıyla PhistucK şunları yazdı:

[Huseyin Yigit]

My expectation here is not to download the application, but to run the application.

Here I should be able to link to a local app, file or folder.

In this way, I can collect my customers' websites, critical files, applications in a single bookmark folder.

18 Şubat 2021 Perşembe tarihinde saat 22:42:36 UTC+1 itibarıyla Huseyin Yigit şunları yazdı:

[Huseyin Yigit]

I also hope that when I click a local shortcut, it detects it with a separate BookmarkOnClick event and runs the application directly instead of trying to change the page in the currently open active tab.

In its current state, adding file:// shortcuts as bookmarks in Bookmark makes no sense.

Thank you in advance for your comments and support.

18 Şubat 2021 Perşembe tarihinde saat 22:46:26 UTC+1 itibarıyla Huseyin Yigit şunları yazdı:

[Torne (Richard Coles)]

Clicking on a bookmark not doing the same thing as typing the URL of the bookmark into the URL bar just for this exact form of URL would be a very odd special case and it doesn't seem like this helps any use case other than the exact one you mentioned (wanting to have a bookmark folder that collects together things without caring if they're websites or not), and handling of file:// URLs in general has a lot of security considerations. So.. there's not really any chance of this happening.

[Huseyin Yigit]

At least the Bookmark API could support an OnClick event. So I could meet this expectation myself with an extension.

18 Şubat 2021 Perşembe tarihinde saat 23:06:06 UTC+1 itibarıyla to...@chromium.org şunları yazdı:

[PhistucK]

Can you think of use cases other than your exact use case (which I gave you a workaround for already, also using an extension) for a bookmark on-click event?

☆PhistucK