Secure connection of an Extension with another application

131 views
Skip to first unread message

Andrey Tamarkin

unread,
Nov 12, 2024, 6:16:08 AMNov 12
to Chromium Extensions

Hello,

I am developing an extension that needs to communicate with another application running on the computer (outside of the browser). From my research, I understand this can be achieved in two ways:

  1. Sending HTTP requests to the application
  2. Using native messaging to interact with the application

Is there a method for the application to verify that the messages are genuinely sent by my extension and not by an impersonator?

Thank you for your assistance.

woxxom

unread,
Nov 12, 2024, 6:42:21 AMNov 12
to Chromium Extensions, Andrey Tamarkin
With nativeMessaging you can specify which extension ids your app accepts.

Oliver Dunk

unread,
Nov 12, 2024, 6:58:31 AMNov 12
to woxxom, Chromium Extensions, Andrey Tamarkin
As wOxxOm mentioned, there's support in the native messaging host manifest to control the extension IDs that are able to connect: https://developer.chrome.com/docs/extensions/develop/concepts/native-messaging#native-messaging-host

That said, there are some limitations to what is possible.

For example, this is only enforced by Chrome to prevent other extensions from calling the API with your host identifier. In most cases, that should be sufficient, but it doesn't prevent a binary pretending to be Chrome from launching the native message host. Even with a trusted build of Chrome, an unpacked extension could be loaded with the ID of your trusted extension and connect this way.

I hope that helps.
Oliver Dunk | DevRel, Chrome Extensions | https://developer.chrome.com/ | London, GB


--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/0ae71dc2-ddaa-456a-a2dc-7b8c7d004374n%40chromium.org.

Andrey Tamarkin

unread,
Nov 23, 2024, 5:59:32 AM (10 days ago) Nov 23
to Chromium Extensions, Oliver Dunk, Chromium Extensions, Andrey Tamarkin, woxxom
Thanks for all the responses.

Regarding the native messaging option - I assume that the application that I plan to call via the native messaging can verify that the binary that calls it is really Chrome. I'm worried however about the unpacked extension option (attacker can take the key of my extension and pretend to be my extension).

Are there any ways to prevent this?
1. I can verify that the extension forced installed by the enterprise (and thus same extension id cannot be load un packed).
2. Can I verify that loading unpacked extensions is not allowed?

woxxom

unread,
Nov 23, 2024, 6:24:48 AM (10 days ago) Nov 23
to Chromium Extensions, Andrey Tamarkin, Oliver Dunk, Chromium Extensions, woxxom
> loading unpacked extensions is not allowed


Your app can also read the "Secure Preferences" file in the browser's data profile to find out how and where this extension is installed. To find the profile's directory you can 1) check the standard paths, 2) ask the user when installing the app, 3) in Windows use the HWND parameter in your app's command line, see https://groups.google.com/a/chromium.org/g/chromium-extensions/c/QN_wvxn5Aiw/m/6d6MhZs5CAAJ.
Reply all
Reply to author
Forward
0 new messages