Source Code Protection
1,210 views
Skip to first unread message
emmettoc
Aug 20, 2010, 4:29:39 AM8/20/10
to Chromium-extensions
Hello,
I'm interested in coming Chrome Web Store and looked through a
developer's guide.
When I release a packaged app, how can I protect my source codes,
which will contain some secret information, for example API keys? I
tried to read source codes of some chrome extensions and I could. Some
of them have raw API keys.
Thank you.
I'm interested in coming Chrome Web Store and looked through a
developer's guide.
When I release a packaged app, how can I protect my source codes,
which will contain some secret information, for example API keys? I
tried to read source codes of some chrome extensions and I could. Some
of them have raw API keys.
Thank you.
Arne Roomann-Kurrik
Aug 20, 2010, 5:23:57 PM8/20/10
to emmettoc, Chromium-extensions
You can use obfuscation to try and hide them from casual attempts, but generally keeping API keys secret in client software is extremely difficult (or impossible) to do if a user has root access to their machine.
Alternatives exist, though - for example all the Google APIs accept "anonymous" as the consumer token/secret when accessing them with OAuth. You can also run a web service which stores your keys on your server and proxies requests from the extension to the APIs you use.
If you have a more specific implementation question, I'm happy to try and help come up with a solution.
~Arne
--
You received this message because you are subscribed to the Google Groups "Chromium-extensions" group.
To post to this group, send email to chromium-...@chromium.org.
To unsubscribe from this group, send email to chromium-extens...@chromium.org.
For more options, visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/?hl=en.
emmettoc
Aug 21, 2010, 12:33:11 AM8/21/10
to Chromium-extensions
Dear Arne,
Thank you for your speedy reply.
I understood. I'll consider hosted app too.
But if making and running binary of JavaScript become available, I
don't know about how to accomplish them technologically, I think that
more developers and companies will make more apps for Chrome Web
Store.
Thank you again.
emmettoc
On 8月21日, 午前6:23, Arne Roomann-Kurrik <kur...@chromium.org> wrote:
> You can use obfuscation to try and hide them from casual attempts, but
> generally keeping API keys secret in client software is extremely difficult
> (or impossible) to do if a user has root access to their machine.
>
> Alternatives exist, though - for example all the Google APIs accept
> "anonymous" as the consumer token/secret when accessing them with OAuth.
> You can also run a web service which stores your keys on your server and
> proxies requests from the extension to the APIs you use.
>
> If you have a more specific implementation question, I'm happy to try and
> help come up with a solution.
>
> ~Arne
>
> > .
Thank you for your speedy reply.
I understood. I'll consider hosted app too.
But if making and running binary of JavaScript become available, I
don't know about how to accomplish them technologically, I think that
more developers and companies will make more apps for Chrome Web
Store.
Thank you again.
emmettoc
On 8月21日, 午前6:23, Arne Roomann-Kurrik <kur...@chromium.org> wrote:
> You can use obfuscation to try and hide them from casual attempts, but
> generally keeping API keys secret in client software is extremely difficult
> (or impossible) to do if a user has root access to their machine.
>
> Alternatives exist, though - for example all the Google APIs accept
> "anonymous" as the consumer token/secret when accessing them with OAuth.
> You can also run a web service which stores your keys on your server and
> proxies requests from the extension to the APIs you use.
>
> If you have a more specific implementation question, I'm happy to try and
> help come up with a solution.
>
> ~Arne
>
> On Fri, Aug 20, 2010 at 1:29 AM, emmettoc <creepyman2...@gmail.com> wrote:
> > Hello,
>
> > I'm interested in coming Chrome Web Store and looked through a
> > developer's guide.
>
> > When I release a packaged app, how can I protect my source codes,
> > which will contain some secret information, for example API keys? I
> > tried to read source codes of some chrome extensions and I could. Some
> > of them have raw API keys.
>
> > Thank you.
>
> > --
> > You received this message because you are subscribed to the Google Groups
> > "Chromium-extensions" group.
> > To post to this group, send email to chromium-extensi...@chromium.org.
> > Hello,
>
> > I'm interested in coming Chrome Web Store and looked through a
> > developer's guide.
>
> > When I release a packaged app, how can I protect my source codes,
> > which will contain some secret information, for example API keys? I
> > tried to read source codes of some chrome extensions and I could. Some
> > of them have raw API keys.
>
> > Thank you.
>
> > --
> > You received this message because you are subscribed to the Google Groups
> > "Chromium-extensions" group.
> > To unsubscribe from this group, send email to
> > chromium-extensions+unsubscr...@chromium.org<chromium-extensions%2Bunsubscr...@chromium.org>
> > .
bughunt...@gmail.com
Jan 15, 2019, 2:15:40 PM1/15/19
to Chromium Extensions, creepy...@gmail.com, kur...@chromium.org
Hey Anne,
Is it possible to load background script and content script from a remote domain, i tried to do this by changing content script location in manifest.json file to remote domain where i hosted it but after doing this i am getting invalid extension error, any solution for this!
Is it possible to load background script and content script from a remote domain, i tried to do this by changing content script location in manifest.json file to remote domain where i hosted it but after doing this i am getting invalid extension error, any solution for this!
To unsubscribe from this group, send email to chromium-extensions+unsub...@chromium.org.
PhistucK
Jan 15, 2019, 3:21:57 PM1/15/19
to bughunt...@gmail.com, Chromium Extensions, emmettoc, Arne Roomann-Kurrik
The web store rules do not allow (or just frown upon) remote scripts. You certainly cannot technically load content script from a remote domain directly.
☆PhistucK
To unsubscribe from this group, send email to chromium-extens...@chromium.org.
For more options, visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/?hl=en.
--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To post to this group, send email to chromium-...@chromium.org.
Visit this group at https://groups.google.com/a/chromium.org/group/chromium-extensions/.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/ff415574-8a4f-4dea-b83c-86e514d015ac%40chromium.org.
For more options, visit https://groups.google.com/a/chromium.org/d/optout.
Darren Govoni
Jan 16, 2019, 8:56:12 PM1/16/19
to bughunt...@gmail.com, Chromium-extensions, creepy...@gmail.com, kur...@chromium.org
If you want to protect keys don't embed them in the extension. Use the extension options UI to input them and store them in chrome, outside of your code. But user has to take this step first.
To unsubscribe from this group, send email to chromium-extens...@chromium.org.
For more options, visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/?hl=en.
--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To post to this group, send email to chromium-...@chromium.org.
Reply all
Reply to author
Forward
0 new messages