Erik pointed me at http://code.google.com/p/chromium/issues/detail?id=30530which would allow you to prevent other Chrome extensions from accessing your web service by checking the referrer on any request coming into your web server.
This won't prevent someone from writing other types of software that abuse your service, but could limit the case where copied extensions use the original extension's web service without permission. The inherent difficulties in verifying signed requests, as well as the possibility for users to run modified copies of Chrome or pull any certificates Chrome uses to sign from memory makes me think that we should avoid a signing-based solution. ~Arne On Thu, Dec 17, 2009 at 1:11 AM, Adam Barth <aba...@chromium.org> wrote: > Thats an interesting idea. One question: how could you tell if the > request was sent by a fake client (e.g., someone with a customized > version of Chrome that lies about which extension sent the request). > Does that matter for your use case? > > Adam > > > On Wed, Dec 16, 2009 at 1:54 AM, sachin <therealsac...@gmail.com> wrote: > > Hi, > > > > I was wondering if there is way to authenticate a request coming from > > an extension. Idea is to validate that the request was sent by "my" > > extension rather than any other fake/copied extension. > > > > I was wondering if chrome can provide an api for making XHR, but in > > addition sign the request with gadget url and some secret, such that > > the signature could be verified from server side? > > > > Regards, > > Sachin > > > > -- > > > > You received this message because you are subscribed to the Google Groups > "Chromium-extensions" group. > > To post to this group, send email to > chromium-extensi...@googlegroups.com. > > To unsubscribe from this group, send email to > chromium-extensions+unsubscr...@googlegroups.com<chromium-extensions%2bunsubscr...@googlegroups.com> > . > > For more options, visit this group at > http://groups.google.com/group/chromium-extensions?hl=en. > > > > > > > > -- > > You received this message because you are subscribed to the Google Groups > "Chromium-extensions" group. > To post to this group, send email to chromium-extensi...@googlegroups.com. > To unsubscribe from this group, send email to > chromium-extensions+unsubscr...@googlegroups.com<chromium-extensions%2bunsubscr...@googlegroups.com> > . > For more options, visit this group at > http://groups.google.com/group/chromium-extensions?hl=en. > > > -- You received this message because you are subscribed to the Google Groups "Chromium-extensions" group. To post to this group, send email to chromium-extensi...@googlegroups.com. To unsubscribe from this group, send email to chromium-extensions+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/chromium-extensions?hl=en.
