> install: function(f,h,j,i,k) {
That function install is called with some parameters.
var f = getApps(); //an Array with 2 items: Chrome and Gears
var h = 'sv'; // language code
var j = areStatsEnabled(); //?
i = function; //this one is called on install success
k = function; //called on fail
A service "update2/installping" gets one HTTP GET requests for each of
the two products, and the result is not used or verified:
> var q=new Image;
> q.src=m
It's just a "ping" that someone wanted to install them, along with
"_GU_getlid()". This iid should come from a cookie. If missing, it
uses "{11112222-3333-4444-5555-666677778888}" -- looks like a GUID.
Iid might be a tracking cookie? Someone could want to investigate what
info is tied to it and how it is used.
Then it finally activates Install() in the oneclick plugin.
> window.google.update.oneclickPlugin_.Install(r,i,k)
var r = '/install "appguid={8A69D345-D564-463C-AFF1-
A69D9E530F96}&iid={aaaa1AF2-bbA0-B7cc-dd1D-
eeeeECD7eeee}&lang=sv&browser=0&usagestats=1&appname=Google
%20Chrome&needsadmin=false&appguid={00058422-BABE-4310-9B8B-
B8DEB5D0B68A}&appname=ChromeGears&needsadmin=false"';
(I covered parts of my iid, just for good measure :-).
With urlsnooper from donationcoder, I got to know what that oneclick
does with my network.
http://tools.google.com/service/update2/oneclick?du=http://www.google.com/&args=/install%20%22appguid=%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D&iid=%7B(removed:-)7%7D&lang=sv&browser=0&usagestats=1&appname=Google%20Chrome&needsadmin=false&appguid=%7B00058422-BABE-4310-9B8B-B8DEB5D0B68A%7D&appname=ChromeGears&needsadmin=false%22&w=3:l3dz....
(174 chars, looks encrypted, maybe a hash or just anything else)
HTTP/1.1 200 OK
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Content-Type: text/xml; charset=UTF-8
Content-Length: 177
Date: Fri, 12 Sep 2008 20:09 GMT
Server: GFE/1.3
<?xml version="1.0" encoding="UTF-8"?><OneClick xmlns:oc="http://
tools.google.com/service/update2/oneclick"><HostCheck domain="http://
www.google.com/" status="pass"/></OneClick>
Next maybe google update gets involved (xml says "gupdate" instead of
"OneClick") and machineid, userid, and the stuff we know from above.
Next comes download links, hashes and file sizes for
chrome_installer.exe and gears-chrome-opt.msi. Presumably those
installers are hash- and size-checked before they are run. The
oneclick/gupdate code should need to verify this whole message though,
and I don't see HTTPS or hashes that it would be done. Maybe all those
are locked to only run with google.com, which together with rigorous
testing for normal software bugs (MSXML?) would be almost enough.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Chromium-discuss" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/chromium-discuss?hl=en
-~----------~----~----~----~------~----~------~--~---
