One way to think about this is that the Gallery is part of Chrome's UI, just like the New Tab page or the Downloads page. We don't allow content scripts in the NTP either.
Another way to think about this is that injecting a content script into the Gallery lets you install any extension automatically without user intervention, which means you effectively get the most powerful manifest permissions. Adam On Wed, Dec 2, 2009 at 11:23 AM, Finnur Thorarinsson <[email protected]> wrote: > > Nobody is arguing this prevents extensions from doing bad things. I don't > think that's a problem that is easily solved within the extension system. At > the end of the day users should install extensions from developers they > trust and be able to report extensions that misbehave. > The Abuse signal is an important part in weeding out the bad extensions so > yes, I think it is pretty high on the importance list. It also happens to be > easy to make sure that that safety mechanism is not tampered with directly > (block content scripts for the Gallery url). > Sure, you can substitute the download link on the download page for Chrome, > but realistically how many people download Chrome from the download page if > they already have Chrome installed? > > On Wed, Dec 2, 2009 at 11:08, Pam Greene <[email protected]> wrote: >> >> True, but is that a bigger problem than an extension messing with my >> bank's site? Or my email? Or substituting another link on the download page >> for Chrome itself, pointing it to a version that doesn't have the >> no-extensions-on-gallery restriction? >> - Pam >> >> On Wed, Dec 2, 2009 at 11:03 AM, Finnur Thorarinsson <[email protected]> >> wrote: >>> >>> Well, for one an abusive extension could remove the UI in the Gallery >>> that allows the user to report the extension as abusive. That alone would be >>> a pretty big problem. >>> >>> On Wed, Dec 2, 2009 at 10:53, Claudio Benvenuti >>> <[email protected]> wrote: >>>> >>>> Ok, I'll do that. >>>> But.. why is the Extension Gallery going to be more vulnerable than >>>> any other web sites? >>>> Are you talking about XSS and stuff like that? >>>> From what I understand the content script is execute in an "isolated >>>> world", so what am I missing? >>>> I'm asking just to understand :) >>>> >>>> thanks again >>>> >>>> Claudio >>>> >>>> >>>> >>>> >>>> On Dec 2, 7:32 pm, Finnur Thorarinsson <[email protected]> wrote: >>>> > Yeah, it would be great to not have to worry about the security of >>>> > running >>>> > content scripts on the Gallery, but that's the world we live in. >>>> > >>>> > If you are concerned about users uninstalling the extension because of >>>> > this, >>>> > then maybe you should note in the description for the extension that >>>> > the >>>> > Extension needs to be tested on pages not in the Extension Gallery. >>>> > >>>> > On Wed, Dec 2, 2009 at 10:27, Claudio Benvenuti >>>> > <[email protected] >>>> > >>>> > >>>> > >>>> > > wrote: >>>> > > Ok, thank you very much, now its clear!!! >>>> > > Thank you also for your precious advice about the permission on >>>> > > file://... >>>> > > already removed from my manifest :) >>>> > >>>> > > I'm a bit concerned about content_scripts not running on the Chrome >>>> > > Extension Gallery. >>>> > > I think that the first action an user will do once he installs a new >>>> > > extension from the Chrome Extension Gallery is going to be... try >>>> > > the new extension... but, if extension uses content_script, it's >>>> > > not >>>> > > going to work... probably the next step will be... "Uninstall" >>>> > > At least... that's what I did with my own Extension :) >>>> > >>>> > > Sorry for my english and for my comment, if misplaced. >>>> > > Thank you again >>>> > >>>> > > Claudio >>>> > >>>> > > On Dec 2, 6:57 pm, Finnur Thorarinsson <[email protected]> wrote: >>>> > > > Yes, for security reasons we don't support running content scripts >>>> > > > on the >>>> > > > Chrome Extension Gallery. >>>> > >>>> > > > As for mail.google.com, it works for me, although I'm on Windows. >>>> > >>>> > > > Oh, and as a side note, if your manifest includes running >>>> > > > content_scripts >>>> > > on >>>> > > > file://, then the users of your extension are going to have a very >>>> > > > scary >>>> > > > looking security warning when they try to install your extension. >>>> > > > I >>>> > > > recommend not having your content script run on file:// unless you >>>> > > > absolutely need to. >>>> > >>>> > > > -F >>>> > >>>> > > > On Wed, Dec 2, 2009 at 08:46, Claudio Benvenuti < >>>> > > [email protected] >>>> > >>>> > > > > wrote: >>>> > > > > Hello Everybody, >>>> > > > > I'm developing an extension that make use of content script. >>>> > > > > In manifest.json I have : >>>> > >>>> > > > > "content_scripts": [ >>>> > > > > { >>>> > > > > "matches": ["http://*/*";, "https://*/*";, >>>> > > > > "file:///*"], >>>> > > > > "js": ["source.js"] >>>> > > > > } >>>> > > > > ], >>>> > >>>> > > > > but in some pages, likehttps://mail.google.com/mail/, or like >>>> > > > > my >>>> > > > > chrome extension dashboard >>>> > > > > (https://chrome.google.com/extensions/ >>>> > > > > developer/dashboard), my content script is not injected in the >>>> > > > > page, >>>> > > > > so my extension is not working. >>>> > > > > I checked this using the Developer Tools. >>>> > >>>> > > > > I'm using Chromium 4.0.260.0 under linux. >>>> > > > > Is anyone experiencing this problem? >>>> > > > > Am I missing something? >>>> > >>>> > > > > Thanks everybody >>>> > > > > Claudio >>>> > >>>> > > > > -- >>>> > >>>> > > > > You received this message because you are subscribed to the >>>> > > > > Google >>>> > > Groups >>>> > > > > "Chromium-extensions" group. >>>> > > > > To post to this group, send email to >>>> > > [email protected]. >>>> > > > > To unsubscribe from this group, send email to >>>> > > > > >>>> > > > > [email protected]<chromium-extensions%2Bunsu >>>> > > > > [email protected]><chromium-extensions%2Bunsu >>>> > > [email protected]> >>>> > > > > . >>>> > > > > For more options, visit this group at >>>> > > > >http://groups.google.com/group/chromium-extensions?hl=en. >>>> > >>>> > > -- >>>> > >>>> > > You received this message because you are subscribed to the Google >>>> > > Groups >>>> > > "Chromium-extensions" group. >>>> > > To post to this group, send email to >>>> > > [email protected]. >>>> > > To unsubscribe from this group, send email to >>>> > > >>>> > > [email protected]<chromium-extensions%2Bunsu >>>> > > [email protected]> >>>> > > . >>>> > > For more options, visit this group at >>>> > >http://groups.google.com/group/chromium-extensions?hl=en. >>>> >>>> -- >>>> >>>> You received this message because you are subscribed to the Google >>>> Groups "Chromium-extensions" group. >>>> To post to this group, send email to >>>> [email protected]. >>>> To unsubscribe from this group, send email to >>>> [email protected]. >>>> For more options, visit this group at >>>> http://groups.google.com/group/chromium-extensions?hl=en. >>>> >>>> >>> >>> -- >>> >>> You received this message because you are subscribed to the Google Groups >>> "Chromium-extensions" group. >>> To post to this group, send email to >>> [email protected]. >>> To unsubscribe from this group, send email to >>> [email protected]. >>> For more options, visit this group at >>> http://groups.google.com/group/chromium-extensions?hl=en. >> > > -- > > You received this message because you are subscribed to the Google Groups > "Chromium-extensions" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/chromium-extensions?hl=en. > -- You received this message because you are subscribed to the Google Groups "Chromium-extensions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/chromium-extensions?hl=en.
