Mmm... but there is going to be an installation confirmation. As Aaron said. It can download the extension - but it cannot install it.
☆PhistucK On Thu, Dec 3, 2009 at 08:22, Adam Barth <[email protected]> wrote: > One way to think about this is that the Gallery is part of Chrome's > UI, just like the New Tab page or the Downloads page. We don't allow > content scripts in the NTP either. > > Another way to think about this is that injecting a content script > into the Gallery lets you install any extension automatically without > user intervention, which means you effectively get the most powerful > manifest permissions. > > Adam > > > On Wed, Dec 2, 2009 at 11:23 AM, Finnur Thorarinsson > <[email protected]> wrote: > > > > Nobody is arguing this prevents extensions from doing bad things. I don't > > think that's a problem that is easily solved within the extension system. > At > > the end of the day users should install extensions from developers they > > trust and be able to report extensions that misbehave. > > The Abuse signal is an important part in weeding out the bad extensions > so > > yes, I think it is pretty high on the importance list. It also happens to > be > > easy to make sure that that safety mechanism is not tampered with > directly > > (block content scripts for the Gallery url). > > Sure, you can substitute the download link on the download page for > Chrome, > > but realistically how many people download Chrome from the download page > if > > they already have Chrome installed? > > > > On Wed, Dec 2, 2009 at 11:08, Pam Greene <[email protected]> wrote: > >> > >> True, but is that a bigger problem than an extension messing with my > >> bank's site? Or my email? Or substituting another link on the download > page > >> for Chrome itself, pointing it to a version that doesn't have the > >> no-extensions-on-gallery restriction? > >> - Pam > >> > >> On Wed, Dec 2, 2009 at 11:03 AM, Finnur Thorarinsson < > [email protected]> > >> wrote: > >>> > >>> Well, for one an abusive extension could remove the UI in the Gallery > >>> that allows the user to report the extension as abusive. That alone > would be > >>> a pretty big problem. > >>> > >>> On Wed, Dec 2, 2009 at 10:53, Claudio Benvenuti > >>> <[email protected]> wrote: > >>>> > >>>> Ok, I'll do that. > >>>> But.. why is the Extension Gallery going to be more vulnerable than > >>>> any other web sites? > >>>> Are you talking about XSS and stuff like that? > >>>> From what I understand the content script is execute in an "isolated > >>>> world", so what am I missing? > >>>> I'm asking just to understand :) > >>>> > >>>> thanks again > >>>> > >>>> Claudio > >>>> > >>>> > >>>> > >>>> > >>>> On Dec 2, 7:32 pm, Finnur Thorarinsson <[email protected]> wrote: > >>>> > Yeah, it would be great to not have to worry about the security of > >>>> > running > >>>> > content scripts on the Gallery, but that's the world we live in. > >>>> > > >>>> > If you are concerned about users uninstalling the extension because > of > >>>> > this, > >>>> > then maybe you should note in the description for the extension that > >>>> > the > >>>> > Extension needs to be tested on pages not in the Extension Gallery. > >>>> > > >>>> > On Wed, Dec 2, 2009 at 10:27, Claudio Benvenuti > >>>> > <[email protected] > >>>> > > >>>> > > >>>> > > >>>> > > wrote: > >>>> > > Ok, thank you very much, now its clear!!! > >>>> > > Thank you also for your precious advice about the permission on > >>>> > > file://... > >>>> > > already removed from my manifest :) > >>>> > > >>>> > > I'm a bit concerned about content_scripts not running on the > Chrome > >>>> > > Extension Gallery. > >>>> > > I think that the first action an user will do once he installs a > new > >>>> > > extension from the Chrome Extension Gallery is going to be... > try > >>>> > > the new extension... but, if extension uses content_script, it's > >>>> > > not > >>>> > > going to work... probably the next step will be... "Uninstall" > >>>> > > At least... that's what I did with my own Extension :) > >>>> > > >>>> > > Sorry for my english and for my comment, if misplaced. > >>>> > > Thank you again > >>>> > > >>>> > > Claudio > >>>> > > >>>> > > On Dec 2, 6:57 pm, Finnur Thorarinsson <[email protected]> > wrote: > >>>> > > > Yes, for security reasons we don't support running content > scripts > >>>> > > > on the > >>>> > > > Chrome Extension Gallery. > >>>> > > >>>> > > > As for mail.google.com, it works for me, although I'm on > Windows. > >>>> > > >>>> > > > Oh, and as a side note, if your manifest includes running > >>>> > > > content_scripts > >>>> > > on > >>>> > > > file://, then the users of your extension are going to have a > very > >>>> > > > scary > >>>> > > > looking security warning when they try to install your > extension. > >>>> > > > I > >>>> > > > recommend not having your content script run on file:// unless > you > >>>> > > > absolutely need to. > >>>> > > >>>> > > > -F > >>>> > > >>>> > > > On Wed, Dec 2, 2009 at 08:46, Claudio Benvenuti < > >>>> > > [email protected] > >>>> > > >>>> > > > > wrote: > >>>> > > > > Hello Everybody, > >>>> > > > > I'm developing an extension that make use of content script. > >>>> > > > > In manifest.json I have : > >>>> > > >>>> > > > > "content_scripts": [ > >>>> > > > > { > >>>> > > > > "matches": ["http://*/*";, "https://*/*";, > >>>> > > > > "file:///*"], > >>>> > > > > "js": ["source.js"] > >>>> > > > > } > >>>> > > > > ], > >>>> > > >>>> > > > > but in some pages, likehttps://mail.google.com/mail/, or like > >>>> > > > > my > >>>> > > > > chrome extension dashboard > >>>> > > > > (https://chrome.google.com/extensions/ > >>>> > > > > developer/dashboard), my content script is not injected in the > >>>> > > > > page, > >>>> > > > > so my extension is not working. > >>>> > > > > I checked this using the Developer Tools. > >>>> > > >>>> > > > > I'm using Chromium 4.0.260.0 under linux. > >>>> > > > > Is anyone experiencing this problem? > >>>> > > > > Am I missing something? > >>>> > > >>>> > > > > Thanks everybody > >>>> > > > > Claudio > >>>> > > >>>> > > > > -- > >>>> > > >>>> > > > > You received this message because you are subscribed to the > >>>> > > > > Google > >>>> > > Groups > >>>> > > > > "Chromium-extensions" group. > >>>> > > > > To post to this group, send email to > >>>> > > [email protected]. > >>>> > > > > To unsubscribe from this group, send email to > >>>> > > > > > >>>> > > > > [email protected]<chromium-extensions%[email protected]> > <chromium-extensions%2Bunsu > >>>> > > > > [email protected]><chromium-extensions%2Bunsu > >>>> > > [email protected]> > >>>> > > > > . > >>>> > > > > For more options, visit this group at > >>>> > > > >http://groups.google.com/group/chromium-extensions?hl=en. > >>>> > > >>>> > > -- > >>>> > > >>>> > > You received this message because you are subscribed to the Google > >>>> > > Groups > >>>> > > "Chromium-extensions" group. > >>>> > > To post to this group, send email to > >>>> > > [email protected]. > >>>> > > To unsubscribe from this group, send email to > >>>> > > > >>>> > > [email protected]<chromium-extensions%[email protected]> > <chromium-extensions%2Bunsu > >>>> > > [email protected]> > >>>> > > . > >>>> > > For more options, visit this group at > >>>> > >http://groups.google.com/group/chromium-extensions?hl=en. > >>>> > >>>> -- > >>>> > >>>> You received this message because you are subscribed to the Google > >>>> Groups "Chromium-extensions" group. > >>>> To post to this group, send email to > >>>> [email protected]. > >>>> To unsubscribe from this group, send email to > >>>> [email protected]<chromium-extensions%[email protected]> > . > >>>> For more options, visit this group at > >>>> http://groups.google.com/group/chromium-extensions?hl=en. > >>>> > >>>> > >>> > >>> -- > >>> > >>> You received this message because you are subscribed to the Google > Groups > >>> "Chromium-extensions" group. > >>> To post to this group, send email to > >>> [email protected]. > >>> To unsubscribe from this group, send email to > >>> [email protected]<chromium-extensions%[email protected]> > . > >>> For more options, visit this group at > >>> http://groups.google.com/group/chromium-extensions?hl=en. > >> > > > > -- > > > > You received this message because you are subscribed to the Google Groups > > "Chromium-extensions" group. > > To post to this group, send email to > [email protected]. > > To unsubscribe from this group, send email to > > [email protected]<chromium-extensions%[email protected]> > . > > For more options, visit this group at > > http://groups.google.com/group/chromium-extensions?hl=en. > > > > -- > > You received this message because you are subscribed to the Google Groups > "Chromium-extensions" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]<chromium-extensions%[email protected]> > . > For more options, visit this group at > http://groups.google.com/group/chromium-extensions?hl=en. > > > -- You received this message because you are subscribed to the Google Groups "Chromium-extensions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/chromium-extensions?hl=en.
