Restricting use of file: URLs in tabs and windows APIs

已查看 11,319 次
跳至第一个未读帖子

Jun Kokatsu

未读,
2023年8月10日 14:00:042023/8/10
收件人 Chromium Extensions

Chromium extensions are currently allowed to navigate to file URLs through chrome.tabs and chrome.windows APIs. However, most extensions do not use these, and they can sometimes introduce a vulnerability where an extension unexpectedly navigates to a file URL of an attacker’s choice. This can result in a number of issues, such as local file disclosure.


Following discussions in the WECG, we plan to restrict navigation to file URLs (in Chromium 118), unless the “Allow access to file URLs” option is enabled on the extension’s details page. The use of navigation to file URLs is low in Chrome (approximately 0.02%), and we expect that for most extensions there will be no impact. In the small number of other cases, we believe that the toggle is a reasonable requirement.


Firefox already restricts file URLs, and Safari supports the change.


Along similar lines, we recently landed a change to expand restrictions on javascript URLs to all API methods. This was already blocked for tabs.update, and opening these URLs outside of an existing tab has limited use. This will land in 117 and we do not expect any impact.


As always, please do let us know if you have any feedback.


Thanks,


Jun on behalf of Chrome Extension team


Don Schmitt

未读,
2023年9月16日 19:00:472023/9/16
收件人 Jun Kokatsu、Chromium Extensions
Hi,

I believe you should provide a Group Policy to enable this enterprise wide.  We have customers who have tools that download files that they then open locally with our extension as a viewer.  Can you provide a policy for this?

Thanks!
Don



--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/c9085e6f-d021-4516-93bd-61f360898b0en%40chromium.org.

Patrick Kettner

未读,
2023年9月27日 15:31:122023/9/27
收件人 Don Schmitt、Jun Kokatsu、Chromium Extensions
Hey Don
Do you mean an enterprise policy to not restrict the use of file URLs in extensions?

Don Schmitt

未读,
2023年9月27日 15:47:182023/9/27
收件人 Patrick Kettner、Jun Kokatsu、Chromium Extensions
Hi Patrick,

Allow me to clarify.  If I understand this change announcement, this change makes it so that an extension cannot navigate to a file URL unless the following permission has been enabled on the extension page for that extension:  "Allow access to file URLs” .  However, unless something has changed there is no way to enable that option with enterprise policy for an extension and it's impractical for an enterprise to have their end users manually change settings.

The lack of ability to enable this option has come up in the past and I don't recall what the resistance was to providing enterprise policy for enabling that option.  I think perhaps it was difficult before there was an ExtensionSettings policy (i.e. the ability to set per-extension values).

Does that make sense?

--
Don


Jun Kokatsu

未读,
2023年9月29日 13:37:042023/9/29
收件人 Chromium Extensions、Don Schmitt、Jun Kokatsu、Chromium Extensions、Patrick Kettner
Hi Don!

Sorry it took sometime to get back on this.
I've added a new field in ExtensionSettings policy to allow navigation to file URLs from configured extensions.
Unfortunately, this policy change will not land in time for Chrome 118. Meanwhile, you can disable the RestrictFileURLNavigation feature.

Hope this helps!

Jun

Don Schmitt

未读,
2023年9月30日 11:38:362023/9/30
收件人 Jun Kokatsu、Chromium Extensions、Patrick Kettner
Wow, what a quick response.  Great work, thank you!


David

未读,
2023年10月2日 12:10:252023/10/2
收件人 Chromium Extensions、Don Schmitt、Chromium Extensions、Patrick Kettner、Jun Kokatsu
Hi Jun,

I tried to test this new feature on the latest Chrome Canary.
The policy loaded and the schema was validated correctly. The extension is force-installed by the enterprise.
I expected the "Allow access to file URLs" to be enabled once I did it but there was no change.

How should I test it?
Tried running chrome.extension.isAllowedFileSchemeAccess as well to verify.

Our enterprise has a self-hosted extension installed on enterprise enrolled devices, and we wish to allow access to file URLs without user intervention.

Thanks.

Jun Kokatsu

未读,
2023年10月2日 18:33:192023/10/2
收件人 David、Chromium Extensions、Don Schmitt、Patrick Kettner
Hi David,

The new enterprise policy does not allow access to file URLs. It just allows navigation to file URLs from specified extensions, which is being deprecated in Chrome 118.

Thanks,

Jun

iza

未读,
2023年10月15日 00:08:012023/10/15
收件人 Chromium Extensions、Jun Kokatsu、Chromium Extensions
Hi, I'm the developer of Humble New Tab Page.
Some of my users have bookmarks to local files, and have complained that they can no longer open them from my extension new tab page.

Am I correct in understanding that for the "Allow access to file URLs" toggle to show up for my extension, I would need to declare
"host_permissions": ["file:///*"] in my extension manifest? Because I really don't want or need such a broad permission. Is there no way to request navigation permission without full read access?

iza

未读,
2023年10月15日 00:54:532023/10/15
收件人 Chromium Extensions、iza、Jun Kokatsu、Chromium Extensions
On further investigation, it looks like I can add the "activeTab" permission instead to make the "Allow access to file URLs" toggle available. Still an unnecessary permission for my extension, but less invasive.

Jackie Han

未读,
2023年10月16日 04:02:142023/10/16
收件人 Jun Kokatsu、Chromium Extensions、iza
Hi Jun Kokatsu,

I noticed that there is no "Allow access to file URLs" option for my extensions from Web Store, but there is this option for all unpacked extensions.

Screenshot 2023-10-16 at 15.55.38.png
Above screenshot is an extension from Web Store. There is no "Allow access to file URLs" option!

Screenshot 2023-10-16 at 15.56.07.png
Above screenshot is an unpacked extension. All unpacked extensions have this option.

So how can users enable "Allow access to file URLs" for extensions installed from CWS?


Jackie Han

未读,
2023年10月16日 04:09:292023/10/16
收件人 iza、Chromium Extensions、Jun Kokatsu
Hi, iza

For unpacked extension, just enable "Allow access to file URLs", it works. It doesn't need any permissions (like "file:///*" or "activeTab"). But extensions from CWS don't show this option. That is a problem.

Flozzl 51

未读,
2023年10月16日 06:02:142023/10/16
收件人 Chromium Extensions、Jackie Han、Chromium Extensions、Jun Kokatsu、iza
Hi,
ive tried the solution but somehow "file_url_navigation" is not working for the extension " Enable local file links". 


Screenshot 2023-10-16 115314.jpg

This is how its configured in GPO

Screenshot 2023-10-16 120040.jpg

Here you can see that only the Pin to toolbar command is working.
Am i doing something wrong here?

Jun Kokatsu

未读,
2023年10月16日 14:32:162023/10/16
收件人 Chromium Extensions、Flozzl 51、Jackie Han、Chromium Extensions、Jun Kokatsu、iza
Hi All!

To iza and Jackie, I think requesting "file:///*" permission is the best option here, as it does not provide file access to the extension until users enable the "allow access to file URLs" option.
The reason why we didn't expose new toggle specific to file URL navigations is that we think normal users wouldn't understand what navigation to file URLs mean in terms of granting access. Therefore, we wanted to tie navigation to file URLs with the file URL access itself, which seems more clearer.

To Flozzl 51, unfortunately, the request for enterprise policy came a month after we announced the change, and therefore it didn't land on time for Chrome 118. But it will be available from Chrome 119.

Thanks,

Jun

iza

未读,
2023年10月16日 14:58:092023/10/16
收件人 Chromium Extensions、Jun Kokatsu、Jackie Han、Chromium Extensions、iza
I ended up adding "optional_host_permissions": [ "file:///*" ]
This way the "Allow access to file URLs" is shown, navigation works, but I don't actually get read permission.

Jun Kokatsu

未读,
2023年10月16日 15:11:312023/10/16
收件人 Chromium Extensions、iza、Jun Kokatsu、Jackie Han、Chromium Extensions
That's amazing iza! Thank you for sharing your tips!

Jun

Jackie Han

未读,
2023年10月17日 01:12:152023/10/17
收件人 Jun Kokatsu、Chromium Extensions、iza
Great! I just published a new version of my extension which added the "optional_host_permissions": [ "file:///*" ] in manifest. After upgrading from CWS, the extension details page shows the "Allow access to file URLs" option now.

Although this solves the problem, I think many people don't know this difference between unpacked extensions and packed extensions from CWS.

MH

未读,
2023年10月20日 06:45:482023/10/20
收件人 Chromium Extensions、Jackie Han、Chromium Extensions、iza、Jun Kokatsu
Hello

I have tested the new policy with chrome 119 beta:
The Registrykey ("file_url_navigation_allowed"=dword:00000001) seems to be valid, but the behevior has not changed.
Is it true, that its still necessary to enable the file access in the extension settings?
If so, how can I force this settings without user interaction. (Company with ~6k employees)?

Thanks for your respond.

Jun Kokatsu

未读,
2023年10月20日 20:30:232023/10/20
收件人 MH、Chromium Extensions、Jackie Han、iza
Hi,

Unfortunately, I currently don't have access to windows PC to verify this issue.
But I think it is not working because you have not set the extension ID. Since file_url_navigation_allowed is a part of the ExtensionSettings policy, you'd need to set the extension ID for which you want to allow file: URL navigation.
I can try to repro this next week if you still see the same issue.

Thanks,

Jun

MH

未读,
2023年10月26日 02:42:192023/10/26
收件人 Chromium Extensions、Jun Kokatsu、Chromium Extensions、Jackie Han、iza、MH
Hi Jun

I think i did it correctly, this is what it shows in chrome://policy (valid):

{
  "nikfmfgobenbhmocjaaboihbeocackld": {
    "file_url_navigation_allowed": true,
    "installation_mode": "force_installed",
    "update_url": "file:////[Path to xml]//ChromeExtensions.xml"
  }
}


Still have the same issue.
Thanks

Jun Kokatsu

未读,
2023年10月30日 20:26:042023/10/30
收件人 Chromium Extensions、MH、Jun Kokatsu、Chromium Extensions、Jackie Han、iza
Hi,

I was successfully able to apply `file_url_navigation_allowed` on Chrome Beta for Windows.
I followed these steps to download and apply Admin template. This guide from Edge actually goes more details into how to make a JSON to apply to ExtensionSettings policy, but I basically applied `{"hinmcgipjjndkedddmmpidnjikjebejj":{"file_url_navigation_allowed":true}}` and it worked. Make sure that Chrome is restarted and the policy changes appears in chrome://policy.

Thanks,

Jun

ELU Konsult

未读,
2023年10月31日 03:50:032023/10/31
收件人 Chromium Extensions、Jun Kokatsu、MH、Chromium Extensions、Jackie Han、iza
I have tried both Chrome Beta (version 119.0.6045.59) and Edge for Business Beta (119.0.2151.38) and i can't get the policy 'file_url_navigation_allowed' to work.

This is what i have in my Group policy setting "Extension management settings":
{"nikfmfgobenbhmocjaaboihbeocackld":{"file_url_navigation_allowed":true}}

In Chrome Beta i get no Policy error, but the policy does not Enable "Allow access to file URLs".
In Edge for Business Beta i get a Policy error: " ErrorError at ExtensionSettings.nikfmfgobenbhmocjaaboihbeocackld: Schema validation error: Unknown property: file_url_navigation_allowed"

Am i doing something wrong?
Edge_beta.png
Chrome_Beta_Plugin.png
Chrome_Beta_Policy.png
Chrome_Beta.png
Edge_Beta_policy_Error.png
GPO.png

Jun Kokatsu

未读,
2023年10月31日 12:49:592023/10/31
收件人 Chromium Extensions、ELU Konsult、Jun Kokatsu、MH、Chromium Extensions、Jackie Han、iza
Hi,

The policy addition for each release channel can be checked here.
On Chrome Beta, it starts support from 119.0.6045.9 onwards, which is probably why it did not work on your version (i.e. 119.0.6045.59).

Please try on version 119.0.6045.9 or up and let me know if it works!

Thanks,

Jun

ELU Konsult

未读,
2023年11月1日 04:27:032023/11/1
收件人 Chromium Extensions、Jun Kokatsu、ELU Konsult、MH、Chromium Extensions、Jackie Han、iza
Hello Jun,

I have tried the latest beta build " Version 119.0.6045.105 (Official Build) beta (64-bit)" and the issue still is the same.
The policy does not have any effect on enabling "Allow access to file URLs"

Also tried downloading the Chrome Canary version of the browser, but it doesn't work in that either.
This is the JSON value from Chrome policy page: 
{ "nikfmfgobenbhmocjaaboihbeocackld": { "file_url_navigation_allowed": true } }
Chrome_Beta_6045.105.png
Chrome_Beta_Policy_105.png

Flozzl 51

未读,
2023年11月1日 05:50:322023/11/1
收件人 Chromium Extensions、ELU Konsult、Jun Kokatsu、MH、Chromium Extensions、Jackie Han、iza
Hi,

same preconditions and problems like @ELU_Konsult .
Policy have been set and i have the newest version ( 119.0.6045.106).

Oliver Dunk

未读,
2023年11月1日 06:48:382023/11/1
收件人 Flozzl 51、Chromium Extensions、ELU Konsult、Jun Kokatsu、MH、Jackie Han、iza
Hi both,

My understanding is that this does not affect the "Allow access to file URL" toggle, and only impacts the ability to navigate to file:// URLs using the different APIs.

Have you tried to use those APIs since applying the policy?

Thanks,
Oliver Dunk | DevRel, Chrome Extensions | https://developer.chrome.com/ | London, GB


Flozzl 51

未读,
2023年11月1日 08:37:252023/11/1
收件人 Chromium Extensions、Oliver Dunk、Chromium Extensions、ELU Konsult、Jun Kokatsu、MH、Jackie Han、iza、Flozzl 51
We are using the same APIs since a very long time

Oliver Dunk

未读,
2023年11月1日 08:39:292023/11/1
收件人 Flozzl 51、Chromium Extensions、ELU Konsult、Jun Kokatsu、MH、Jackie Han、iza
Can you confirm the code that you are running and what error messaging you are getting with this policy applied?
Oliver Dunk | DevRel, Chrome Extensions | https://developer.chrome.com/ | London, GB

Flozzl 51

未读,
2023年11月1日 08:47:522023/11/1
收件人 Chromium Extensions、Oliver Dunk、Chromium Extensions、ELU Konsult、Jun Kokatsu、MH、Jackie Han、iza、Flozzl 51
Sorry, what do you want me to do?
The policy is active but its not working. 

Screenshot 2023-11-01 134630.jpg

Oliver Dunk

未读,
2023年11月1日 09:16:292023/11/1
收件人 Flozzl 51、Chromium Extensions、ELU Konsult、Jun Kokatsu、MH、Jackie Han、iza
Could you share:
  • The code you are running to test if this is working (just the snippet navigating to a file:// URL is ok)
  • What error message you see when this fails to work
Thanks,
Oliver Dunk | DevRel, Chrome Extensions | https://developer.chrome.com/ | London, GB

Flozzl 51

未读,
2023年11月1日 09:28:572023/11/1
收件人 Chromium Extensions、Oliver Dunk、Chromium Extensions、ELU Konsult、Jun Kokatsu、MH、Jackie Han、iza、Flozzl 51
For example : file://ourdomain.local/file.pdf
Then a new site opens "chrome-extension://nikfmfgobenbhmocjaaboihbeocackld/options/index.html#need-file-scheme-access"

This is what you need?
Screenshot 2023-11-01 142756.jpg

Oliver Dunk

未读,
2023年11月1日 09:38:302023/11/1
收件人 Flozzl 51、Chromium Extensions、ELU Konsult、Jun Kokatsu、MH、Jackie Han、iza
How are you navigating to that URL? tabs.create, tabs.update, windows.create etc.

Just want to understand the exact issue you're having.
Oliver Dunk | DevRel, Chrome Extensions | https://developer.chrome.com/ | London, GB

Flozzl 51

未读,
2023年11月1日 09:50:302023/11/1
收件人 Chromium Extensions、Oliver Dunk、Chromium Extensions、ELU Konsult、Jun Kokatsu、MH、Jackie Han、iza、Flozzl 51
Yes ok and im not into coding but i hope the screenshot will be helpful.
Otherwise let me know, which steps i can do.

Screenshot 2023-11-01 144720.jpg

Oliver Dunk

未读,
2023年11月1日 10:02:252023/11/1
收件人 Flozzl 51、Chromium Extensions、ELU Konsult、Jun Kokatsu、MH、Jackie Han、iza
Thanks for sharing that screenshot, along with the extension ID it provides some helpful context.

It looks like the extension was updated with support for the original change but not support for the policy, so this may need a change from the developer of that extension. You could try reaching out to them using the email address on their Chrome Web Store listing.

In particular, there is some code here which basically prevents things from working unless the file access checkbox is enabled. Unfortunately since the policy and checkbox aren't linked that check is failing. Hopefully that makes a bit of sense?

Thanks,
Oliver Dunk | DevRel, Chrome Extensions | https://developer.chrome.com/ | London, GB

Flozzl 51

未读,
2023年11月1日 10:14:182023/11/1
收件人 Chromium Extensions、Oliver Dunk、Chromium Extensions、ELU Konsult、Jun Kokatsu、MH、Jackie Han、iza、Flozzl 51
Thanks Oliver, i will get in touch with the developer and inform you here, if i get some new informations about this problem.
It makes sense for me.

Flozzl 51

未读,
2023年11月3日 07:16:542023/11/3
收件人 Chromium Extensions、Flozzl 51、Oliver Dunk、Chromium Extensions、ELU Konsult、Jun Kokatsu、MH、Jackie Han、iza
Ive got a reply from the developer of that extension.
It seems to be that it will be fixed in the next release.

Dear Sir,

 

Thank you for contacting me.
I updated the extension.
I think it's fixed in version 0.9.4.

 

Takashi Sugimoto


Oliver Dunk

未读,
2023年11月3日 07:47:252023/11/3
收件人 Flozzl 51、Chromium Extensions、ELU Konsult、Jun Kokatsu、MH、Jackie Han、iza
That's great news, thanks for the update!
Oliver Dunk | DevRel, Chrome Extensions | https://developer.chrome.com/ | London, GB

Uladzimir Yankovich

未读,
2023年11月6日 14:41:452023/11/6
收件人 Chromium Extensions、Oliver Dunk、Chromium Extensions、ELU Konsult、Jun Kokatsu、MH、Jackie Han、iza、Flozzl 51
Colleagues, I already have 119 Chrome, but in my extension (jbfeongihppeenfnaofmdeikahaefljd) everything still works. In addition, I don’t see any toggles in our extension settings - https://gang.manganum.app/GpFGbTgN

How is this possible?

Oliver Dunk

未读,
2023年11月7日 06:34:472023/11/7
收件人 Uladzimir Yankovich、Chromium Extensions、ELU Konsult、Jun Kokatsu、MH、Jackie Han、iza、Flozzl 51
Hi Uladzimir,

I'm not sure what to suggest - this is working for me, including with Manganum.

I notice in the video you shared previously you had some enterprise policy. Do you see anything at chrome://policy that could affect this?

Thanks,
Oliver Dunk | DevRel, Chrome Extensions | https://developer.chrome.com/ | London, GB

Uladzimir Yankovich

未读,
2023年11月7日 07:01:392023/11/7
收件人 Oliver Dunk、Chromium Extensions、ELU Konsult、Jun Kokatsu、MH、Jackie Han、iza、Flozzl 51
--
Uladzimir Yankovich,
Founder @ Manganum (manganum.app).

Oliver Dunk

未读,
2023年11月7日 08:44:462023/11/7
收件人 Uladzimir Yankovich、Chromium Extensions、ELU Konsult、Jun Kokatsu、MH、Jackie Han、iza、Flozzl 51
Strange. My suggestion for now would be to open a Chrome bug - that way we can at least see if this is happening for anyone else.
Oliver Dunk | DevRel, Chrome Extensions | https://developer.chrome.com/ | London, GB

Jun Kokatsu

未读,
2023年11月7日 18:00:552023/11/7
收件人 Oliver Dunk、Uladzimir Yankovich、Chromium Extensions、ELU Konsult、MH、Jackie Han、iza、Flozzl 51
> In addition, I don’t see any toggles in our extension settings

You can add the following, and it should show the allow file access toggle.
"optional_host_permissions": [ "file:///*" ]


Thanks,

Jun

Uladzimir Yankovich

未读,
2023年11月8日 18:00:172023/11/8
收件人 Chromium Extensions、Jun Kokatsu、Uladzimir Yankovich、Chromium Extensions、ELU Konsult、MH、Jackie Han、iza、Flozzl 51、Oliver Dunk
I asked 3 random users with 120 Chrome to send screenshots, and still nothing.

Could it be that this update does not affect the all_host extension? 🤔

Oliver Dunk

未读,
2023年11月9日 06:07:292023/11/9
收件人 Uladzimir Yankovich、Chromium Extensions、Jun Kokatsu
Hi Uladzimir,

I'm definitely seeing this in the Manganum extension so I don't think it's permission related.

Could you confirm exactly what you asked users to test? There are some things (duplicating tabs or re-opening closed ones) that I believe still work so the focus on this is very much navigation through methods like `chrome.tabs.update`.

Appreciate your patience, clearly we're seeing very different things so I appreciate your persistence in trying to figure out what's happening.

Thanks,
Oliver Dunk | DevRel, Chrome Extensions | https://developer.chrome.com/ | London, GB

Uladzimir Yankovich

未读,
2023年11月9日 06:12:202023/11/9
收件人 Oliver Dunk、Chromium Extensions、Jun Kokatsu
I asked them if they saw the "Allow access to file URLs" toggle. No, they don't.

At the same time, I see it on my devices with other extensions (https://gang.manganum.app/q0PpJXWs). But I don’t see it in Manganum (https://gang.manganum.app/6TwsXS9S).

Oliver, could you share a screenshot?

Oliver Dunk

未读,
2023年11月9日 06:19:322023/11/9
收件人 Uladzimir Yankovich、Chromium Extensions、Jun Kokatsu
Ah, got it. I assumed you were still talking about not being able to see the new behaviour in general.

It looks like Manganum doesn't have the optional_host_permissions key Jun suggested yet?
Oliver Dunk | DevRel, Chrome Extensions | https://developer.chrome.com/ | London, GB

Uladzimir Yankovich

未读,
2023年11月9日 07:07:282023/11/9
收件人 Oliver Dunk、Chromium Extensions、Jun Kokatsu
Yes, but other extensions don’t have it either 😂


Oliver Dunk

未读,
2023年11月9日 07:09:382023/11/9
收件人 Uladzimir Yankovich、Chromium Extensions、Jun Kokatsu
Do you have an example of an extension that doesn't have that but does show the toggle?
Oliver Dunk | DevRel, Chrome Extensions | https://developer.chrome.com/ | London, GB

Uladzimir Yankovich

未读,
2023年11月9日 07:14:122023/11/9
收件人 Oliver Dunk、Chromium Extensions、Jun Kokatsu

Oliver Dunk

未读,
2023年11月9日 07:22:452023/11/9
收件人 Uladzimir Yankovich、Chromium Extensions、Jun Kokatsu
I think that one is because it's requesting "*://*/*", which includes file:// URLs :)
Oliver Dunk | DevRel, Chrome Extensions | https://developer.chrome.com/ | London, GB

Uladzimir Yankovich

未读,
2023年11月9日 07:30:482023/11/9
收件人 Oliver Dunk、Chromium Extensions、Jun Kokatsu

Oliver Dunk

未读,
2023年11月9日 07:59:572023/11/9
收件人 Uladzimir Yankovich、Chromium Extensions、Jun Kokatsu
It looks like requesting the activeTab permission will show the setting as well.
Oliver Dunk | DevRel, Chrome Extensions | https://developer.chrome.com/ | London, GB

MH

未读,
2023年11月10日 08:38:102023/11/10
收件人 Chromium Extensions、Oliver Dunk、Chromium Extensions
Can we please have an enterprise policy to manage the allow file acces toggle for specific extensions.
I cant request all my employees to activate it.

Oliver Dunk

未读,
2023年11月10日 10:14:562023/11/10
收件人 MH、Chromium Extensions
Do you mean the file access toggle, or specifically being able to navigate to file URLs?

For the latter, which is the only thing we have changed recently, we added a policy that you can find here: https://support.google.com/chrome/a/answer/9867568?hl=en#:~:text=file_url_navigation_allowed

For the file access toggle, that would be a more general feature request. I don't think we'd prioritize it since nothing has changed there recently, but feel free to file something on the bug tracker :)

Thanks,
Oliver Dunk | DevRel, Chrome Extensions | https://developer.chrome.com/ | London, GB

Seema Habib

未读,
2023年11月12日 12:24:222023/11/12
收件人 Oliver Dunk、MH、Chromium Extensions

David

未读,
2023年12月11日 06:07:092023/12/11
收件人 Chromium Extensions、Seema Habib、MH、Chromium Extensions、Oliver Dunk
Added a feature request to control extension toggles via enterprise policy here:
https://bugs.chromium.org/p/chromium/issues/detail?id=1501780

Pedro Pinho

未读,
2023年12月20日 04:18:522023/12/20
收件人 Chromium Extensions、David、Seema Habib、MH、Chromium Extensions、Oliver Dunk
To elaborate on MH's comment above, while it's true we now have the file_url_navigation_allowed ExtensionSettings policy field to toggle the "Allow access to file URLs" extension setting, the toggle is not enabled in the UI, as any other policy control setting is usually seen in Chrome. This causes some confusion to IT admins and more tech savvy users, as it's expected that the toggle is set if affected by a policy setting.
I'm unsure that https://bugs.chromium.org/p/chromium/issues/detail?id=1501780 targets this specific issue, as it seems like a more generic feature request.

Jun Kokatsu

未读,
2023年12月20日 13:54:552023/12/20
收件人 Chromium Extensions、Pedro Pinho、David、Seema Habib、MH、Chromium Extensions、Oliver Dunk
file_url_navigation_allowed ExtensionSettings policy and "Allow access to file URLs" toggle are two different things.
file_url_navigation_allowed only allows navigations to file URLs, but it does not provide file URL access.

If you'd like to control file URL access through enterprise policy, this bug has the past discussions on that topic and reason for those decisions.

Thanks,

Jun

Pedro Pinho

未读,
2023年12月21日 06:17:582023/12/21
收件人 Chromium Extensions、Jun Kokatsu、Pedro Pinho、David、Seema Habib、MH、Chromium Extensions、Oliver Dunk
Thanks Jun, but that's a rather old bug. My feedback was more in the sense that, for most (if not all) browser settings controlled via policy, the UI is updated accordingly (usually graying out options, lock icon, etc). This is usually the expectation of IT admins and the quickest way to assess a given policy setting takes effect. If this is not something that should be pursued, for technical/design reasons, I guess that's an evaluation that may need to be done, as this is more of an UX thing. What matters the most is that the new field is indeed taking effect and working as intended, just not the UI part IT admins are accustomed to when deploying browser policies.

Oliver Dunk

未读,
2024年1月3日 06:07:261月3日
收件人 Pedro Pinho、Chromium Extensions、Jun Kokatsu、David、Seema Habib、MH
Hi Pedro,

I just wanted to reiterate what Jun said here, since I think there might be some confusion.

Enabling the file access toggle in the UI gives extensions access to read data on file:// URLs. Setting file_url_navigation_allowed does not, so it would be confusing if the UI changed (since that would imply the extension has access it doesn't).

I hope that makes sense.
Oliver Dunk | DevRel, Chrome Extensions | https://developer.chrome.com/ | London, GB

Pedro Pinho

未读,
2024年1月3日 11:20:001月3日
收件人 Chromium Extensions、Oliver Dunk、Chromium Extensions、Jun Kokatsu、David、Seema Habib、MH、Pedro Pinho
Thanks Oliver and Jun, this is clear now. Sorry for the confusion.

Maximilian Hansen

未读,
2024年2月6日 11:19:312月6日
收件人 Chromium Extensions、Pedro Pinho、Oliver Dunk、Chromium Extensions、Jun Kokatsu、David、Seema Habib、MH
Hello everyone,

Our Windows GPO for the Google Chrome extension: chrome://extensions/?id=nikfmfgobenbhmocjaaboihbeocackld, doesn't seem to work.

We need the toggle for the users: Allow access to file URLs

Attached is an excerpt from the GPO. The extension is also displayed in Chrome as installed by company policy.

Is there any way to troubleshoot?

GPO.PNG

Oliver Dunk

未读,
2024年2月6日 11:43:172月6日
收件人 Maximilian Hansen、Chromium Extensions、Pedro Pinho、Jun Kokatsu、David、Seema Habib、MH
Hi Maximilian,

To confirm, are you trying to use APIs like `chrome.tabs.update` or specifically to enable the file access toggle? The policy removes some restrictions from the APIs but does not enable the toggle or allow unrestricted access to files.

Thanks,
Oliver Dunk | DevRel, Chrome Extensions | https://developer.chrome.com/ | London, GB

Maximilian Hansen

未读,
2024年2月6日 15:21:352月6日
收件人 Chromium Extensions、Oliver Dunk、Chromium Extensions、Pedro Pinho、Jun Kokatsu、David、Seema Habib、MH、Maximilian Hansen
Hello Oliver, thanks for the quick feedback.

Is there a way to customize this toggle via GPO? 

Oliver Dunk

未读,
2024年2月7日 06:20:332月7日
收件人 Maximilian Hansen、Chromium Extensions、Pedro Pinho、Jun Kokatsu、David、Seema Habib、MH
There isn't currently a way to control that I'm afraid.
Oliver Dunk | DevRel, Chrome Extensions | https://developer.chrome.com/ | London, GB

Maximilian Hansen

未读,
2024年2月7日 08:37:432月7日
收件人 Chromium Extensions、Oliver Dunk、Chromium Extensions、Pedro Pinho、Jun Kokatsu、David、Seema Habib、MH、Maximilian Hansen
Hi Oliver, thanks for the feedback.
Will this be possible again in the near future?

Max

Oliver Dunk

未读,
2024年2月7日 08:38:592月7日
收件人 Maximilian Hansen、Chromium Extensions、Pedro Pinho、Jun Kokatsu、David、Seema Habib、MH
There aren't any plans at the moment.

Would you be comfortable sharing your use case in more detail? It would be interesting to know.
Oliver Dunk | DevRel, Chrome Extensions | https://developer.chrome.com/ | London, GB

Justin Jaeger

未读,
2024年4月15日 10:28:404月15日
收件人 Chromium Extensions、Oliver Dunk、Chromium Extensions、Pedro Pinho、Jun Kokatsu、David、Seema Habib、MH、Maximilian Hansen
Hi Oliver,

My facility is having the same issue as Maximilian. We are trying to use an extension called "Enable local file links" for use with our company intranet to open files from our company's shared drive. We have a number of links to specific points in our shared drive but the extension requires you to set "Allow access to file URLs" before it can be used. We use this within a Citrix environment and when you log off, it resets that permission. We're looking for a way to enable this in group policy but everything we have found says that it cannot be done. Is there a way to request this feature be added? We used to use this with IE without a problem but with the switch to Chrome, I believe this functionality was turned off for security reasons. Unfortunately, it creates a large barrier for us as most of our users are not well versed with looking for the files they need in the shared drive.

Thank you,
Justin Jaeger

回复全部
回复作者
转发
0 个新帖子