Match wildcard in domain name

3047 views
Skip to first unread message

Nikita Vasilyev

unread,
Feb 12, 2010, 3:57:31 PM2/12/10
to Chromium-extensions
I would like to run my extension on all google domains.
(It's https://chrome.google.com/extensions/detail/fijobgpmmkilncagclaejpjlccfhopdo
actually).
Why I can not do

"matches": ["http://google.*/*"]

?

Wildcard for domain works in Greasemonkey scripts, see
http://github.com/greasemonkey/greasemonkey/blob/master/content/convert2RegExp.js#L45

Why Chrome can't do the same?

Arne Roomann-Kurrik

unread,
Feb 12, 2010, 6:40:23 PM2/12/10
to Nikita Vasilyev, Chromium-extensions
Hi,

   The match patterns in Google Chrome are a bit different, see: http://code.google.com/chrome/extensions/match_patterns.html for more information.

   What you probably want is something like http://*.google.com/*

~Arne


--
You received this message because you are subscribed to the Google Groups "Chromium-extensions" group.
To post to this group, send email to chromium-...@chromium.org.
To unsubscribe from this group, send email to chromium-extens...@chromium.org.
For more options, visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/?hl=en.


Nikita Vasilyev

unread,
Mar 2, 2010, 8:51:30 AM3/2/10
to Chromium-extensions
No, I don't want to match all sub-domains. I do want match google.ac
google.ae google.af google.ag google.am google.com.ar google.as
google.at google.com.au google.az google.ba google.com.bd google.be
google.bf google.bg google.bi google.bj google.com.bn google.com.bo
google.com.br google.bs google.co.bw google.com.by google.com.bz ...


On Feb 13, 2:40 am, Arne Roomann-Kurrik <kur...@chromium.org> wrote:
> Hi,
>

>    The match patterns in Google Chrome are a bit different, see:http://code.google.com/chrome/extensions/match_patterns.htmlfor more


> information.
>
>    What you probably want is something like http://*.google.com/*
>
> ~Arne
>

> On Fri, Feb 12, 2010 at 12:57 PM, Nikita Vasilyev <alter.el...@gmail.com>wrote:
>
>
>
> > I would like to run my extension on all google domains.
> > (It's

> >https://chrome.google.com/extensions/detail/fijobgpmmkilncagclaejpjlc...


> > actually).
> > Why I can not do
>
> > "matches": ["http://google.*/*"]
>
> > ?
>
> > Wildcard for domain works in Greasemonkey scripts, see
>

> >http://github.com/greasemonkey/greasemonkey/blob/master/content/conve...


>
> > Why Chrome can't do the same?
>
> > --
> > You received this message because you are subscribed to the Google Groups
> > "Chromium-extensions" group.

> > To post to this group, send email to chromium-extensi...@chromium.org.


> > To unsubscribe from this group, send email to

> > chromium-extensions+unsubscr...@chromium.org<chromium-extensions%2Bunsubscr...@chromium.org>

Pauan

unread,
Mar 2, 2010, 12:07:57 PM3/2/10
to Chromium-extensions
Unfortunately, this is not possible at the moment. There is, however,
a workaround; set the content script so it runs on every website, then
evaluate the URL with JavaScript:

if (location.href.indexOf("http://google.") === 0) {
// do code here
}

You can also use a regular expression if you need more power:

if (/^http:\/\/google\.[^\/]+/.test(location.href)) {
// do code here
}

On Feb 12, 12:57 pm, Nikita Vasilyev <alter.el...@gmail.com> wrote:
> I would like to run my extension on all google domains.

> (It'shttps://chrome.google.com/extensions/detail/fijobgpmmkilncagclaejpjlc...


> actually).
> Why I can not do
>
> "matches": ["http://google.*/*"]
>
> ?
>

> Wildcard for domain works in Greasemonkey scripts, seehttp://github.com/greasemonkey/greasemonkey/blob/master/content/conve...

tech4computer

unread,
Mar 2, 2010, 3:59:42 PM3/2/10
to Chromium-extensions

Erik Kay

unread,
Mar 7, 2010, 5:54:56 PM3/7/10
to Pauan, Chromium-extensions
On Tue, Mar 2, 2010 at 9:07 AM, Pauan <pcxunl...@gmail.com> wrote:
Unfortunately, this is not possible at the moment. There is, however,
a workaround; set the content script so it runs on every website, then
evaluate the URL with JavaScript:

if (location.href.indexOf("http://google.") === 0) {
   // do code here
}

Please don't do this.  It's a bad idea for the same reason that the feature isn't implemented as this thread requests in the first place.  You can use this technique and be explicit with a regex and a list of suffixes, but simply taking any suffix is a bad plan.  

The reason is that this opens you up to being injected where you don't expect, which can lead to security problems.  In your above code, it would run on http://google.phisher.org for example.  Even if you changed your code to explicitly test for known registry-controlled domains (.com, .co.uk, .jp, etc.), you'd still have a problem in that most companies (including Google) don't actually own companyname.* for every RCD that's out there.  Further, in the cases where the company doesn't own that domain, the domain is often being used for phishing/malware, etc.  So the only way to do this is to know ahead of time the explicit list of RCDs that are controlled by the company, which can be a pain to figure out unfortunately.

Since your extension has privileges that web pages don't have, you need to be concerned about your script running on hostile websites.  If your extension has a bug, you may leak these privileges to the host website.  We've put a lot into the extensions system to make this hard to do, but it's still possible, so we don't want to encourage this kind of pattern.

One additional problem with your workaround is that in general, it's a good idea to avoid injecting into every page if you can avoid it.  This is for two reasons: performance and security.  Again, even if your code is relatively simple and you're trying to avoid registering anything that could be called unless you match, you may still have a bug that causes it to be exploitable by a hostile website.  Since you're now injecting into every page, you now have to be concerned about every site on the internet.  Performance-wise, every content script that has to be injected into a page will slow down that page's load performance.  It may be by a tiny amount (single-digit milliseconds), but these can add up when you have a lot of extensions.  If you want to compute your match pattern more dynamically, do it in a background page and then use executeScript() to inject your script.

One of the Greasemonkey devs is a lead on the extensions project, so we're definitely aware that this is a feature difference between extensions and Greasemonkey. :-)  This particular issue has caused real-world security problems with some GM scripts, so we were eager to avoid repeating this problem.  We understand that this is a pain when dealing with sites like google, yahoo and amazon that exist in many different top level domains.  We'd love to come up with a more generic solution that could work across all such sites so that amazon.* would match only the sites that amazon owns, but we don't have any proposals we're happy with at the moment.

Erik

 
You can also use a regular expression if you need more power:

if (/^http:\/\/google\.[^\/]+/.test(location.href)) {
   // do code here
}

On Feb 12, 12:57 pm, Nikita Vasilyev <alter.el...@gmail.com> wrote:
> I would like to run my extension on all google domains.
> (It'shttps://chrome.google.com/extensions/detail/fijobgpmmkilncagclaejpjlc...
> actually).
> Why I can not do
>
> "matches": ["http://google.*/*"]
>
> ?
>
> Wildcard for domain works in Greasemonkey scripts, seehttp://github.com/greasemonkey/greasemonkey/blob/master/content/conve...
>
> Why Chrome can't do the same?

--
You received this message because you are subscribed to the Google Groups "Chromium-extensions" group.
To post to this group, send email to chromium-...@chromium.org.
To unsubscribe from this group, send email to chromium-extens...@chromium.org.

Pauan

unread,
Mar 7, 2010, 6:35:39 PM3/7/10
to Chromium-extensions
On Mar 7, 2:54 pm, Erik Kay <erik...@chromium.org> wrote:
> Please don't do this.  It's a bad idea for the same reason that the feature
> isn't implemented as this thread requests in the first place.  You can use
> this technique and be explicit with a regex and a list of suffixes, but
> simply taking any suffix is a bad plan.

I believe there was already a proposal about an OR syntax like this:

"matches": [ "http://google.(com|co.uk|net)/*" ]

> The reason is that this opens you up to being injected where you don't
> expect, which can lead to security problems.  In your above code, it would

> run onhttp://google.phisher.orgfor example.  Even if you changed your code


> to explicitly test for known registry-controlled domains (.com, .co.uk, .jp,
> etc.), you'd still have a problem in that most companies (including Google)
> don't actually own companyname.* for every RCD that's out there.  Further,
> in the cases where the company doesn't own that domain, the domain is often
> being used for phishing/malware, etc.  So the only way to do this is to know
> ahead of time the explicit list of RCDs that are controlled by the company,
> which can be a pain to figure out unfortunately.

Fair enough. My apologies for posting without understanding the
security issues.

Jeff G

unread,
Aug 13, 2014, 5:04:00 PM8/13/14
to chromium-...@chromium.org
Posted this request myself today and it was rejected referencing this security argument, which I find sort of dump as the alternative is no domain security at all (all_sites).  How about a single character wildcard?  This has got to be better security than me requesting all_sites.  https://code.google.com/p/chromium/issues/detail?id=403422
Reply all
Reply to author
Forward
0 new messages