Menu
Is it possible to block Chrome Extensions from running on particular websites?
Say I have a website www.foo.com, is it possible for me to block Chrome Extensions (in particular, content scripts) from working on my website, or stop them from accessing the DOM?
735
For example, if your developers host code in a third-party code repository, you can block the repository's webpage URL to make sure that Chrome extensions can't steal or modify that code. Note: You can only block or allow up to 100 URLs.
Install an Extension One of the more popular options is Simple Allow Copy. Once installed, open the webpage in question, click the Simple Allow Copy icon to the right of the URL and start copying. Enable Copy works similarly. Both are easy to install and use.
You can try with providing the Permission to the Goggle Chrome Extensions ( Allow/ Deny ) for the particular User's. To disable write access, Right Click the Extensions -> properties -> security -> edit -> Select the User. Hit Allow/Deny on check box and they will/ will not be able to install extensions.
If you want to export Chrome extensions manually, you have to enable 'Developer mode' in the browser and pack the extension in a CRX file. CRX is a file that Chrome automatically downloads and installs when you add an extension.
Since the other answer didn't really answer anything about actually stopping an extension, I thought I would add my own two cents. Using the method in the other answer, you can sometimes detect if a particular extension is installed and react accordingly, but this requires you to test for a particular ID string and file for that particular extension. I am sure that we can all agree that this isn't a very encompassing solution.
There are many things about extensions that you cannot stop from within your site, such as the chrome.webRequest api that adblock makes use of. There is nothing you can do to interfere directly with that sort of code, but there is plenty you can do on the DOM manipulation side.
Content Scripts operate in an isolated world meaning that they cannot see/interact with the javascript running on the site. They do, however, have complete access to the DOM and can do whatever they want to it. Conversely, your own javascript has the same access to that DOM. Taking advantage of that isolated world we can set up a MutationObserver to watch over the DOM and prevent any unwanted changes. Because of the isolated world, content scripts cannot disable or turn off our observer while our own javascript can do so freely.
Here is an example of a MutationObserver that locks down the DOM with a little jQuery mixed in because I am lazy.
var config= {childList: true, attributes: true, characterData: true, subtree: true, attributeOldValue: true, characterDataOldValue: true}; var observer = new MutationObserver(function(mutations){ mutations.forEach(function(mutation){ switch(mutation.type){ case "attributes": observer.disconnect(); if(mutation.attributeName == "class") mutation.target.className = mutation.oldValue; else if(mutation.attributeName=="id"||mutation.attributeName=="title") mutation.target[mutation.attributeName] = mutation.oldValue; else if(mutation.attributeName == "style") mutation.target.style.cssText = mutation.oldValue; observer.observe(document,config); break; case "characterData": observer.disconnect(); mutation.target.data = mutation.oldValue; observer.observe(document,config); break; case "childList": observer.disconnect(); if(mutation.addedNodes.length > 0) $(mutation.addedNodes[0]).remove(); if(mutation.removedNodes.length > 0){ if(mutation.nextSibling) $(mutation.removedNodes[0]).insertBefore(mutation.nextSibling); else if(mutation.previousSibling) $(mutation.removedNodes[0]).insertAfter(mutation.previousSibling); else $(mutation.removedNodes[0]).appendTo(mutation.target); } observer.observe(document,config); break; } }); }); $(function(){ observer.observe(document,config); }); Throwing it into a chrome extension with a simple manifest such as:
{ "name": "DOM Polymerase", "version": "1.0", "manifest_version": 2, "permissions": [ "tabs","<all_urls>" ], "content_scripts": [{ "matches": ["http://example.iana.org/*"], "js": ["jquery-1.8.3.min.js","polymerase.js"] }] } And navigating to http://example.iana.org/ will show that external manipulation of the DOM (except for some attributes, I didn't code them all in there) is no longer possible. Of course, in this case internal manipulation is also denied, but if the code was in the site instead of an extension, it would be a different story. While this doesn't disable extensions completely, it should at least preserve your DOM.
88
For the short Answer to the question goto the 4th Edit:
You need to know the extensionId from the Extension you want to block, so that it works.
Here is a Testsite from the Prove of Concept Testsite
and here is the information behind the Solution: Intro to Chrome addons hacking: fingerprinting
Now that you know what Extensions are Running you can, redirect/block/...
I hope it helps.
Edit:
Tested with (Chrome Version 27.0.1453.94) on Windows XP
Edit 2:
This technique will only work if:
Edit 3:
Case Extension: JSONView
You could detect the extension with this code(only example code):
<script src="chrome-extension://chklaanhfefbnpoihckbnefhakgolnmc/error.gif" onerror="console.info('Extension Not Found')" onload="console.info('Extension Found')"></script> <!-- since the the file error.gif is allowed in the manifest "web_accessible_resources" (any other file mentioned there would also be fine) --> <!-- the block code should come in the onload of the script tag --> <!-- tested with Chrome 27+ WinXp --> Some Context: The JSONView Extension has a version 2 Manifest:
... "manifest_version": 2, "name": "JSONView", ... so by default you cannot access the manifest file as mentioned in the "Prove of Concept" above.
BUT it uses the "web_accessible_resources" attribute in the Manifest, which allows websites to access files from the Extension.
... "web_accessible_resources": [ "jsonview.css", "jsonview-core.css", "content_error.css", "options.png", "close_icon.gif", "error.gif" ] ... So now you can call any of this files from your webpage.
example:
chrome-extension://chklaanhfefbnpoihckbnefhakgolnmc/error.gif chrome-extension://chklaanhfefbnpoihckbnefhakgolnmc/jsonview.css ... And with this url in an Image/Script/.. -Tag you can know if the extension is there, if the onload Event fires.
P.s.: i only tested this with Chrome Version 27.0.1453.94) on Windows XP, in other Versions it might not work. (see comment from T.J. Crowder)
P.P.s.: For More Details check the Chrome Developer Ressources. Here is the Link to the Extension on the Chrome Ressource Page "Finger printing" Stuff)
Edit 4:
I don't think it can be blocked per se, but if you can detect the extension as mentioned above you could:
34
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
