Can a Website detect what browser extensions are being used?

Question

Can a website detect what browser extensions are being used? Specifically in this case, the author of the extension wishes to prevent websites from identifying when users are using the extension. So, for a generic example, could the programmers at Yahoo! write code so that www.yahoo.com could tell when it's users were using Firebug? And if Yahoo! could do this, is there anything that the makers of Firebug could do to prevent this?

Answer 1

Looks like you can detect some of them in Firefox using javascript, here is an article:

http://jeremiahgrossman.blogspot.com/2006/08/i-know-what-youve-got-firefox.html

and one more:

http://ha.ckers.org/blog/20060823/detecting-firefox-extentions/

here is how it is detected:

// popular extensions.
var e = {
 "Adblock Plus" : "chrome://adblockplus/skin/adblockplus.png",
 "Auto Copy" : "chrome://autocopy/skin/autocopy.png",
 "ColorZilla" : "chrome://colorzilla/skin/logo.png",
 "Customize Google" : "chrome://customizegoogle/skin/32x32.png",
 "DownThemAll!" : "chrome://dta/content/immagini/icon.png",
 "Faster Fox" : "chrome://fasterfox/skin/icon.png",
 "Flash Block" : "chrome://flashblock/skin/flash-on-24.png",
 "FlashGot" : "chrome://flashgot/skin/icon32.png",
 "Forecastfox" : "chrome://forecastfox/skin/images/icon.png",
 "Google Toolbar" : "chrome://google-toolbar/skin/icon.png",
 "Greasemonkey" : "chrome://greasemonkey/content/status_on.gif",
 "IE Tab" : "chrome://ietab/skin/ietab-button-ie16.png",
 "IE View" : "chrome://ieview/skin/ieview-icon.png",
 "JS View" : "chrome://jsview/skin/jsview.gif",
 "Live HTTP Headers" : "chrome://livehttpheaders/skin/img/Logo.png",
 "MeasureIt" : "chrome://measureit/skin/measureit.png",
 "SEO For Firefox" : "chrome://seo4firefox/content/icon32.png",
 "SEOpen" : "chrome://seopen/skin/seopen.png",
 "Search Status" : "chrome://searchstatus/skin/cax10.png",
 "Server Switcher" : "chrome://switcher/skin/icon.png",
 "StumbleUpon" : "chrome://stumbleupon/content/skin/logo32.png",
 "Tab Mix Plus" : "chrome://tabmixplus/skin/tmp.png",
 "Torrent-Search Toolbar" : "chrome://torrent-search/skin/v.png",
 "User Agent Switcher" : "chrome://useragentswitcher/content/logo.png",
 "View Source With" : "chrome://viewsourcewith/skin/ff/tb16.png",
 "Web Developer" : "chrome://webdeveloper/content/images/logo.png",
 "Unhide Passwords" : "chrome://unhidepw/skin/unhidepw.png",
 "UrlParams" : "chrome://urlparams/skin/urlparams32.png",
 "NewsFox" : "chrome://newsfox/skin/images/home.png",
 "Add N Edit Cookies" : "chrome://addneditcookies/skin/images/anec32.png",
 "GTDGmail" : "chrome://gtdgmail/content/gtd_lineitem.png",
 "QuickJava" : "chrome://quickjava/content/js.png",
 "Adblock Filterset.G Updater" : "chrome://unplug/skin/unplug.png",
 "BBCode" : "chrome://bbcode/skin/bbcode.png",
 "BugMeNot" : "chrome://bugmenot/skin/bugmenot.png",
 "ConQuery" : "chrome://conquery/skin/conquery.png",
 "Download Manager Tweak" : "chrome://downloadmgr/skin/downloadIcon.png",
 "Extended Cookie Manager" : "chrome://xcm/content/allowed.png",
 "FireBug" : "chrome://firebug/content/firebug32.png",
 "FoxyTunes" : "chrome://foxytunes/skin/logo.png",
 "MR Tech Disable XPI Install Delay" : "chrome://disable_xpi_delay/content/icon.png",
 "SessionSaver .2" : "chrome://sessionsaver/content/ss.png",
 "spooFX" : "chrome://spoofx/skin/main/spoofx.png",
 "Statusbar Clock" : "chrome://timestatus/skin/icon.png",
 "Torbutton" : "chrome://torbutton/skin/bigbutton_gr.png",
 "UnPlug" : "chrome://unplug/skin/unplug.png",
 "View Source Chart" : "chrome://vrs/skin/vrssmall.png",
 "XPather" : "chrome://xpather/content/iconka.png", 

};

if (is_mozilla) {
 showExtensions(); 
}

function showExtensions() {
 for (var i in e) {
  var img = document.createElement("img");
  img.setAttribute("border", '0');
  img.setAttribute("width", '0');
  img.setAttribute("height", '0');
  img.setAttribute("onload", "document.getElementById('ext').
appendChild(document.createElement('li')).innerHTML='" + i + "'");
  img.setAttribute("src", e[i]);
 }

}

So, looks like to prevent this kind of detection you don't need to have unique resources that can identify plugin or name your resource the same name as existing plugin to mask.

Answer 2

This information is not part of http protocol and if server-side is getting requests from browsers it can barely influence what kind of information is in http header. The only way it might be done is via JavaScript, so that you, as a programmer, create javascript that gets this information out of browsers. But only in case that the browser has available functions for this requirement.