If I put javascript into a chrome application (CRX) will the code be compiled or in any way hidden from view? At least the crx file seems binary, but is it easily reverse engineered? Does chrome in some way "unpack" it such that a user could easily access the javascripts?
MW
CRX is essentially a ZIP file (with some extra cryptographic integrity signature).
Once installed, it will be almost no different from the unpacked extension /app that was used to produce it - it will reside in the Chrome profile folder. The code will be in the open and fully accessible from the same debugging/development tools as you used to develop it.
There is abosolutely nothing to stop someone from copying/modifying the extension/app for their needs.
You can minify/obfuscate code, but that's frowned upon by both CWS and Mozilla add-ons, meaning you may fail automated/manual reviews as a result.
Related
I have made a Unity build and would like to share it with colleagues.
But i dont want to share it as the standard "folder structure" -build.
So, I have made a single .exe file with an icon, using Winrar selfextracting file.
It works great....BUT Windows and antivirus apps screams bloody murder when they try and open it, thinking it is a potential virus of course.
That makes the file unusable for web sharing (Sharing on a USB drive there are no problems).
How can I make a single file build, for web download, that does not make Windows and Antivirus apps go crazy?
Basically...
You need to pack(age) the build of the app.
(Note the boxing app in the linked tutorial is just an example. There are many ways to pack the game into an executable, and you don't need that specific one.)
Depending on platform, it's also either required or recommended that you sign (1)(2) the app and/or executable.
That's not that trivial since antivirus hate selfextracting exe files ;)
Either go with the usual folder structure and ship it as a .zip.
Or you could go the correct but more complex way and create a proper Installer that correctly asks for admin permissions and then is allowed to extract content into the usual program paths.
Or you can try and use this but it might underly the same issue as the selfextracting exe.
When adding a folder from your local filesystem to the Chrome DevTools workspace, you'll receive a dialog banner which warns you to "not expose any sensitive information" before you grant access.
What are the specific risks associated with doing this? Is the workspace vulnerable to access by extensions? Script injection?
Official response -
"We use the same api as a regular website/chrome app, so it’s not something specific to devtools. I guess in theory if you map you workspace maps to a malicious site and then you live edit your site with devtools open the site might be able to detect your edits? That’s pretty convoluted though.
We assume that information in the workspace is data for your project. I wouldn’t add /etc/passwd to a devtools workspace."
From the review -
"How does one revoke access? If I make a mistake, I can remove the .allow-devtools-edit file. I don't see a way to do this with the new approach.
I'm not sure an infobar is strong enough. There's a class of users that will click this but would never be willing or savvy enough to put the .allow file onto their machines."
As well as -
"The message ought to be scarier, talking about ensuring that there isn't sensitive information in that directory."
Not much, but the original issue for the previous method (adding a file to the folder for allowing it to be mapped also says -
"DevTools needs file system access to allow developers edit/add sources (even those that are not loaded from server, e.g. deployment descriptors, server scripts).
We plan to use File System API (isolated file system).
To add a folder to DevTools users will need to
1. Add an empty .allow-devtools-edit file to the folder (for security purposes)"
I guess because Developer Tools extensions might then be able to read the files you mapped, it can expose highly sensitive information, like unencrypted user names and passwords that might be found in configuration files.
Assume that I have two monitors assigned to my pc. Now I want to get the preview of a web site while coding it. Is there anyway to do this?
eg:- Do the coding from sublime text from a one monitor and the meantime watch the output from the Firefox web browser.
I have used live.js for this more than once. It can work either as a bookmarklet or embedded on your page, and it works in any browser as it's not an extension. Also requires no other software to work.
The downside is it that it will flood your developer tools with HEAD requests every second or so to determine when to reload things. That's the cost of not having to install external software.
You can use the LiveReload plugin for SublimeText. It listens for changes to your code files and updates them in the browser in real time.
Also, do not forget to add the respective browser extension. That should save you from adding any scripts into your page.
You could use yeoman ( with Grunt or Gulp depends on which generator you want to use ).
Theres a few questions similar to this, so I'll try to be clear as possible.
We have an existing, fairly large and complex, GWT webgame I have been asked to make work offline. It has to be offline in pretty much the strictest sense.
Imagine we have been told to make it work off a CD Rom.
So installation is allowed, but we cant expect the users to go to a Chrome/Firefox store and install it from there. It would need to be off the disc.
Likewise, altering of the browsers start-up flags would be unreasonable to expect of users.
Ideally, it would be nice if they just clicked a HTML file for the start page and it opened in their browsers of choice.
We successfully got it working this way in Firefox by adding;
"<add-linker name='xsiframe' />"
To our gwt.xml settings. This seems to solve any security issues FF has with local file access.
However, this does not solve the problem for Chrome.
The main game starts up, but various file requests are blocked due to security issues like these;
XMLHttpRequest cannot load file:///E:/Game%20projects/[Thorn]%20Game/ThornGame/text/messages_en.properties. Cross origin requests are only supported for protocol schemes: http, data, chrome, chrome-extension, https, chrome-extension-resource.MyApplication-0.js:34053 com_google_gwt_http_client_RequestBuilder_$doSend__Lcom_google_gwt_http_client_RequestBuilder_2Ljava_lang_String_2Lcom_google_gwt_http_client_RequestCallback_2Lcom_google_gwt_http_client_Request_2 MyApplication-0.js:34053
Now I was aware same origin policy issues might popup as during development we often tested locally using flags in chrome to bi-pass them.
Thing is...now I dont know how to get around them when we cant use startup flags.
Obviously in the example given its just the .properties file GWT uses to get some language related text. I could dump that inline in one way or another.
However, its only one of many,many,many files being blocked.
The whole game was made to run off *.txt game scripts on the sever - to allow easy updating by non-coders. Really the actual GWT code is just an "engine" and all the XMLHttpRequested files supply the actual "game".
These files are of various types; csv, txt, ntlist, jam.
The last two being custom extensions for what are really just txt files.
All these files are blocked by chromes security. It seems from what I can make out only images are allowed to be accessed locally.
Having all these files compiled in would just be impossible, as they are not fixed in number (ie, one central .txt file determains various scene .txt files which in turn determain various object files and directory's...).
Putting all this into a bundle would be nightmare to create and maintain.
So in essence I need some way to supply a offline version of a GWT project that can access a large number of various files in its subdirectories without security issues.
So far all I can think of is;
A) Theres something I can tell chrome via html or gwt that allows these files to be read in Chrome like FF can. (I suspect this isn't possible).
An alternative to XMLHttpRequest maybe?
B) I need to somehow package a game+a webbrowser in a executable package that has permission to access files in its directory's. (http://www.appcelerator.com/titanium ? ?? ).
C) I need to package and have the user run a full webserver that can then deliver all these files in a XMLHttp accessible way.
D) Bit of a funny one...we cant tell the user to add flags to browser start up...but Maybe I could write a game installer which just detects if they have Chrome or Firefox. It then opens up the games html in their browser with the correct flags for them? This would open up security issues if they browse elsewhere with that instance though, so Id presumably need other flags to disable the url bar if that's possible.
I am happy to make various changes to our code to achieve any of this - but as mentioned above theres no way to determain all the files needing to be accessed at compile time.
And finally, of course, it all has to be as easy as possible for the end user.
Ideally just clicking a html file, or installing something no more complex then a standard windows program.
Thanks for reading this rather long explanation, any pointers and ideas would be very welcome. I especially will appreciate multiple different options or feedback from anyone that's done this.
========================================
I accepted the suggestion to use Chromiumembedded below.
This works and does what I need (and much much more)
To help others that might want to use it, I specifically made two critical changes to the example project;
Because CEF needs a absolute path to the web apps local html, I wrote a c++ function to get the directory the .exe was launched from. This was a platform specific implementation, so if supporting a few OS's (which CEF does) be sure to write dedicated code for each.
Because my webapp will make use of local files, I enabled the Chrome flag for this by changing the browser settings;
browser_settings.file_access_from_file_urls = STATE_ENABLED;
These two changes were enough to get my app working, but it is obviously the bare minimum to make a application. Hopefully my finding will help others.
I'd suggest going the wrapper route. That is, provide a minimal browser implementation that opens your files directly. Options are Chromium Embedded[1]. If the nature of the application absolutely requires the files to be served as non-file urls then bundle a minimal webserver, have the on-disk executable start the server and open the bundled browser with whatever startup arguments you want.
[1] https://bitbucket.org/chromiumembedded/cef
I'm using Google Chrome Developers tool and console while developing and debugging my web applications.
I've some Chrome plugins/extensions installed. These plugins/extensions add extra markups and scripts in the pages while rendering them in the browser, and when I view my codes in the developers tool, makes it a lot messy.
I want a clean way to view my codes without those extra markups.
So is there a way to toggle (disable/enable) the plugins quickly, or in the best way, to disable them in a particular tab? I've several plugins/extensions installed and I don't think it's a good idea to disable and then re-enable them manually.
Besides, I may want to use a plugin/extension while I'm browsing other websites on other tabs simultaneously.
There's no mechanism to disable an extension for a specific tab, or specific host. You could hack something together via the management API that would disable extensions when you hit a specific URL, but that disabled state would be global, not local.
Extensions don't, however, run in Incognito mode (unless you explicitly whitelist them via a checkbox at chrome://extensions): that might be a decent workaround for you. Load your in-development site in Incognito, work with it there in a clean environment, and pop back into your regular window for normal browsing.
You could, of course, accomplish the same thing by setting up a specific profile for development in which you simply didn't install extensions.
These are workarounds, of course. You should feel free to file a feature request for more granular user-side control over when extensions are loaded: http://new.crbug.com/
Would running 2 separate instances of Chrome be of help for you?
(You can start 2 unrelated Chrome browser instances from a command line specifying different user directories: chrome --user-data-dir=userdata1 & chrome --user-data-dir=userdata2 )
I haven't tried it for your usecase, but it sounds reasonable.