How to detect if a web page is being viewed through a chrome extension.

113 views
Skip to first unread message

Robert Velton

unread,
May 14, 2022, 1:18:29 PMMay 14
to Chromium Extensions
I am in the process of refactoring a locked browser app to be an extension and I need to verify the user is viewing a page through the window that was opened by the extension.

Does anyone know how to check for this?

Thank you.

Cuyler Stuwe

unread,
May 14, 2022, 1:36:35 PMMay 14
to Robert Velton, Chromium Extensions
1. I'm going to have to protest this incorrect usage of the term "refactoring", because a true "refactor" just moves code around with no impact on observable behavior. Moving a browser app to become an extension is definitely a behavior change.

2. When you say "verify", you don't provide enough context to really determine to what level of confidence. The fact of the matter is that even CAPTCHA systems can't perfectly "verify" that a user is actually even a real user; Instead, they give a confidence score. If "verifying" the extension is part of a security concern, for example, then you would need to have 100% confidence. So: What's the context? How much confidence do you need?

3. If confidence doesn't need to be high (e.g., you're running a small app that's probably not going to be the target of any serious cracking/reverse-engineering attempts), and you have control of both the extension and webpage, then you could probably just set up some messaging between the webpage and the extension.

--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/060c7d4c-eda1-49c8-9fac-cf7e676df09bn%40chromium.org.

hrg...@gmail.com

unread,
May 14, 2022, 1:43:13 PMMay 14
to Chromium Extensions, Robert Velton
There are too many ways of doing this. The details matter.
For example, who needs to perform the detection? the server? the client?

Here are some random ideas:

If a browser tab/window contains an extension page, then the URL of that page looks like this:
chrome-extension://<extension_id>/page.html
So, you can use this URL do tell the difference between a regular http(s) page and an extension page.

If the URL is always a normal http page, then you can inject a snippet of Javascript into that page to make it behave slightly different. For example you can create a cookie value that is sent with every http request to the server.

But again, the details matter. If you explain the problem a bit more, we can come up with better solutions.

wOxxOm

unread,
May 14, 2022, 2:39:29 PMMay 14
to Chromium Extensions, hrg...@gmail.com, Robert Velton
Assuming you were using a <webview> tag in your old Chrome App, I guess you could switch to the upcoming fenced frames that fully imitate a top-level page environment inside a frame that can be embedded in your chrome-extension:// page or a popup window.

Robert Velton

unread,
May 16, 2022, 1:13:43 AMMay 16
to Chromium Extensions, wOxxOm, hrg...@gmail.com, Robert Velton
Definitely some interesting responses buy let me try this again and be much more verbose.

I am trying to create a chrome extension using manifest V3 that locks down the user's(student) testing experience. We are trying to prevent users looking up other answers in different tabs/windows.

We have been looking at this page:

We have been attempt to create a new window with window type locked-fullscreen

We control both the extension and the website. From the website we check if the extension is installed. If the extension is installed we have a "launch" button that will send a message to the extension to open a new window with type locked-fullscreen. I am trying to detect if the user is viewing our website through the new window opened by the extension in locked-fullscreen.

Anyways, thanks for the feedback so far. Hopefully the additional context is helpful.

Cuyler Stuwe

unread,
May 16, 2022, 1:35:02 AMMay 16
to Robert Velton, Chromium Extensions, hrg...@gmail.com, wOxxOm
Is this a proctored environment?

If not, it’s pretty useless to try to prevent cheating in different tabs; Students can just use their phones, tablets, other computers, textbooks, etc.

If so, why aren’t you considering a more locked-down solution? Kiosks? Desktop software that works either in junction with or instead of a browser extension?

--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.

wOxxOm

unread,
May 16, 2022, 2:06:04 AMMay 16
to Chromium Extensions, salem...@gmail.com, Chromium Extensions, hrg...@gmail.com, wOxxOm, Robert Velton
You can use declarativeNetRequest to block this site from opening, then add an override rule to allow requests in that specific window by using chrome.declarativeNetRequest.updateSessionRules with `tabId` of that window's tab that contains the site.

Robert Velton

unread,
May 16, 2022, 9:45:55 AMMay 16
to Chromium Extensions, salem...@gmail.com, Chromium Extensions, hrg...@gmail.com, wOxxOm, Robert Velton
Yes, this would be in the classroom. 

Kiosk mode is only support with Chrome apps and those are getting deprecated. So we have 2 choices, build an extension or build an app that is installed from the Google Play store.

The path of least resistance is a chrome extension that we were hoping could use the locked-fullscreen window mode/state. Our challenge right now is understanding when a user is viewing our site through that specific window so we can allow a test to proceed.

Cuyler Stuwe

unread,
May 16, 2022, 11:21:19 AMMay 16
to Robert Velton, Chromium Extensions, hrg...@gmail.com, wOxxOm
OK, so when you said you had "2 choices, build an extension or build an app that is installed from the Google Play store", it seems you accidentally implied some more relevant background to your solution: You're probably restricted to Chromebooks.

hrg...@gmail.com

unread,
May 16, 2022, 11:50:37 AMMay 16
to Chromium Extensions, salem...@gmail.com, Chromium Extensions, hrg...@gmail.com, wOxxOm, Robert Velton
Keep in mind as well that the "locked-fullscreen" state is only supported under Chrome OS. So, you are tying up your software to the hardware that currently exists in your classroom. If, for whatever reason, the school needs to replace one or more computers with another platform (even only temporarily), your software won't work.

Robert Velton

unread,
May 16, 2022, 12:11:25 PMMay 16
to Chromium Extensions, hrg...@gmail.com, salem...@gmail.com, Chromium Extensions, wOxxOm, Robert Velton
Yes, this is only going to be run on Chromebook OS that are all managed globally through admins. If a chromebook needs to be replaced, it will be replaced by another managed chromebook.

Simeon Vincent

unread,
Jun 6, 2022, 1:31:27 PMJun 6
to Robert Velton, Chromium Extensions, hrg...@gmail.com, salem...@gmail.com, wOxxOm
Chrome OS has extended kiosk mode support to progressive web apps (PWAs). I don't know too much about it myself, but these articles should help. 
Simeon - @dotproto
Chrome Extensions DevRel


Robert Velton

unread,
Jun 6, 2022, 2:12:31 PMJun 6
to Simeon Vincent, Chromium Extensions, hrg...@gmail.com, salem...@gmail.com, wOxxOm
Thanks Simeon. I have seen these articles before and they definitely helped a bit. However, I am still trying to figure out if there is a header I can set in Kiosk mode or if there is a way for me to set a cookie that can be read by the site rendered through the Chrome Kiosk mode.

Anyways, I am still digging to try and find something helpful.
Reply all
Reply to author
Forward
0 new messages