Databases
StackOverflow2013
Postsdbo
POHow to check the authenticity of a Chrome extension?
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POHow to check the authenticity of a Chrome extension?
    primarykey
    data
    text
    <h3>The Context:</h3> <ul> <li>You have a web server which has to provide an exclusive content only if your client has your specific Chrome extension installed.</li> <li>You have two possibilities to provide the Chrome extension package: <ol> <li>From the Chrome Web Store</li> <li>From your own server</li> </ol></li> </ul> <h3>The problem:</h3> <ul> <li>There is a plethora of solutions allowing to know that a Chrome extension is installed: <ol> <li>Inserting an element when a web page is loaded by using <a href="http://developer.chrome.com/extensions/content_scripts.html" rel="noreferrer">Content Scripts</a>.</li> <li>Sending specific headers to the server by using <a href="http://developer.chrome.com/extensions/webRequest.html" rel="noreferrer">Web Requests</a>.</li> <li>Etc.</li> </ol></li> <li>But there seems to be no solution to check if the Chrome extension which is interacting with your web page is genuine. </li> <li>Indeed, as the source code of the Chrome extension can be viewed and copied by anyone who want to, <strong>there seems to be no way to know if the current Chrome extension interacting with your web page is the one you have published</strong> or a cloned version (and maybe somewhat altered) by another person.</li> <li>It seems that you are only able to know that some Chrome extension is interacting with your web page in an "expected way" but you cannot verify its authenticity.</li> </ul> <h3>The solution?</h3> <ul> <li>One solution may consist in using information contained in the Chrome extension package and which cannot be altered or copied by anyone else: <ol> <li>Sending the Chrome extension's ID to the server? But how? <ul> <li>The ID has to be sent by you and your JavaScript code and there seems to be no way to do it with an "internal" Chrome function.</li> <li>So if someone else just send the same ID to your server (some kind of Chrome extension's ID spoofing) then your server will consider his Chrome extension as a genuine one!</li> </ul></li> <li>Using the private key which served when you packaged the application? But how? <ul> <li>There seems to be no way to access or use in any way this key programmatically!</li> </ul></li> </ol></li> <li>One other solution my consist in using <a href="http://developer.chrome.com/extensions/npapi.html" rel="noreferrer">NPAPI Plugins</a> and embed authentication methods like GPG, etc. But this solution is not desirable mostly because of the big "Warning" section of its <a href="http://developer.chrome.com/extensions/npapi.html" rel="noreferrer">API's doc</a>.</li> <li><strong><em>Is there any other solution?</em></strong></li> </ul> <h3>Notes</h3> <p>This question attempts to raise a real security problem in the Chrome extension's API: How to check the authenticity of your Chrome extension when it comes to interact with your services. If there are any missing possibilities, or any misunderstandings please feel free to ask me in comments.</p>
    singulars
    1. PO
      singulars
      1. PTAnswer
    1. This table or related slice is empty.
    1. PTQuestion
    1. USfsenart
    1. USfsenart
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. PO
      singulars
      1. PTAnswer
    2. PO
      singulars
      1. PTAnswer
    1. VO
      singulars
      1. POHow to check the authenticity of a Chrome extension?
      1. This table or related slice is empty.
      1. VTUpMod
    2. VO
      singulars
      1. POHow to check the authenticity of a Chrome extension?
      1. This table or related slice is empty.
      1. VTUpMod
    3. VO
      singulars
      1. POHow to check the authenticity of a Chrome extension?
      1. USfsenart
      1. VTBountyStart
    1. COWhat is your definition of "genuine"? I understand that if someone builds a clone of your extension that obviously wouldn't be a genuine extension, but what if someone just copies the extension files from one computer to another? Do you consider the exact duplicate a "genuine" extension? I suppose the ambiguity lies in the phrase "`one you have published or a copied one by another person`" -- do you mean an exact duplicate (i.e. filesystem-copy) or a software clone?
      singulars
      1. POHow to check the authenticity of a Chrome extension?
      1. USapsillers
    2. CO@apsillers if the extension has been cloned it is considered as not to be genuine. But if it is copied from one computer to another as long as the extension's ID remains the same, it is still genuine because anything has be altered.
      singulars
      1. POHow to check the authenticity of a Chrome extension?
      1. USfsenart
    3. CO@apsillers thank you for your remark, I merged it in the new version of the question ;)
      singulars
      1. POHow to check the authenticity of a Chrome extension?
      1. USfsenart
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload