Enable a non-PlayStore UserScript with Chrome 35 and above

Question

Since the version 35 of Google Chrome, the execution of any extension installed outside of the Google's PlayStore is blocked and cannot be enabled from the extensions menu.

The auto-installation of non-store scripts was removed two years ago but downloading the script and performing a drag & drop on the extensions menu still allowed the installation, so it was still possible to create and share scripts for Google's Chrome. But now everything is locked.

• Is it possible to manually add permissions to your independant scripts ?
• Is it possible to white-list a personnal website ?
• Is there any other solution ?

I know that this restriction does not apply for dev and canary release channels but the scripts are purposed to be used by users with enough knowledge to know what they do, without forcing them to change their browser. The native support support is rather interresting on Chrome (even if completly locked now), so a solution without a third party plugin (ie : Tampermonkey) is better.

Thank you

Answer 1

The only way there seems to be left, short of installing an extension like Tampermonkey or getting a different browser, is starting the Chrome browser with the --enable-easy-off-store-extension-install flag.

Edit: Unfortunately, Google removed this flag from Chromium in April.

However, if the user (or any program) starts Chrome without this flag even once, the scripts will be disabled automatically. You can't re-enable them, even with the correct flag; your only option is to uninstall them and re-install then in the easy off-store extension install mode.

So, your options are:

1. Start Chrome with the --enable-easy-off-store-extension-install flag every time. If you have pinned Chrome to the task bar in Windows 7, the way to change the command line arguments for this shortcut is described here.
   If you have set Chrome as the default protocol handler for the HTTP and HTTPS protocols (which is the case if you made Chrome your default browser), you can modify the registry so this flag is set every time a program tries to open an HTTP or HTTPS URL with the default program.
   Also make sure you set this argument for file extensions Chrome is configured to open, such as .xht, .htm and .xhtml. You can do this with the following .reg file:

   Windows Registry Editor Version 5.00
   
   [HKEY_CLASSES_ROOT\ChromeHTML\shell\open\command]
   @="\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" --allow-easy-off-store-extension-install -- \"%1\""
   

   
   Make sure the path to Chrome is correct when you install this.

2. Install an extension such as Tampermonkey to manage your user scripts.
3. Install a different browser, either developer builds of Chrome or a completely different browser, such as Opera (which has native support for user scripts) or Firefox (with Scriptish).
4. Blocking Chrome updates before you receive version 35 and risk getting hacked.
5. Switching to a different operating system, as extensions are only blocked on Windows.
6. If your computer is part of a Windows domain, you can install extensions using Group Policy.
7. Turn your user scripts into bookmarklets.

I realize this is probably not what you want to hear, but as Google continues to restrict honest developers because of a few bad players there are no better options.

Edit: there is one more approach that I've found to be working, namely hijacking an installed extension with the correct permissions:

1. Find and install an extension that has permission to run a content script at the web page you want it to run at. For example, the Note Anywhere extension has permission to inject a user script when a document has loaded for any HTTP or HTTPS URI.
2. Go to the extensions page to find the ID of the extension.
3. Open the folder where Chrome stores the extensions. On Windows, this is %localappdata%\Google\Chrome\User Data\Default\Extensions.
4. In manifest.json, find the name and location of the injected script. Overwrite the contents of this file with your user script. (In the case of the extension chosen as an example, this is asset/stickies.js.
5. Remove any content of the extension not referenced in manifest.json. Replace any referenced scripts and HTML pages that you aren't using with emtpy files.
   For the extension mentioned above, I'd remove anything except for the icons, the content script, asset/stickies.css and background.html and replace the latter two with an empty file.
6. Go to the Chrome extensions page and disable and then re-enable the extension.
7. Make a back-up of your work in case the extension is updated.
8. Make a note somewhere that the extension in the extensions list has its contents replaced with your user script.

Answer 2

EDIT : I validate this solution because it's what helped me particularly on this problem. A much richer answer is the list of workarounds submited by user2428118. Even if they did not solved my specific problem, they should be considered.

I finally could find an answer to my question thanks to the link posted by yoz, and the fact is that you can still enable a script unrelated to the PlayStore, without any third party plug-in, but as you'll see : it might be better to use TamperMonkey (even if it might imply little adaptations, it's 200% easier).

The solution is to import the unpacked user-script in developer mode.

Step By Step Explanation

1. Create your user script myscript.user.js as usually

2. Include it in a directory and create a file named manifest.json. You'll get this structure (can be zipped for distribution) :

   myscript/

   • manifest.json
   • myscript.user.js

3. The manifest.json is a file required to import your script as a Chrome extension in developer. It describes your user script. Here is the related documentation, but the minimal code for our purpose is :

    {
        "manifest_version":2,
        "version":"1.0",
        "name": "MyScript",
        "content_scripts": [
            {
                "js": ["myscript.user.js"],
                "matches": ["http://domain.com/"]
            }
        ]
    }
   

4. Now that you have your directory with your user script and manifest.json, you can import it as an unpacked extension (a packed one will be disabled after Chrome's restart). To achieve this, simply check the "developer mode" and choose "Load Unpacked Extension...". Navigate to the directory created at step 2 and select it : that's "all".

Pros

• Native solution
• Natural for you if your developing your script on Chrome (obviously this wasn't my case :P)
• Your script is now treated like a "real" extension.

Cons

• Oh, god... I'm missing the one-click install : even if the user only has to achieve the step 4 it's still a pain.
• Looks less "professional" because the user has to enable the developer mode
• No longer "cross-browser" distribution since the Google Chrome's script has to be packed in a special way
• The original directory cannot be (re)moved without breaking the script
• A warning will be triggered every single time Chrome is opened to ask if you are sure that you want to use developer mode

Conclusion

I liked the way user-scripts had native support on Chrome : every third party plugin has some small variations (ie : datas or xhr handling). But the cons are to numerous and to important (especially the two last ones)... Even if enabling a non-PlayStore script is possible in a native way, it became such a pain that I recommend to adapt the script for a plugin such as TamperMonkey. After all, Chrome was an exception since every other browser require a plugin, now these plugins are the only way.

I still feel a bit disappointed, so if anyone happens to find a better solution (still hoping for some white-lists) I would enjoy to offer some bounty.

EDIT : Please note that user2428118 provided a list of other interesting workarounds. Even if they did not solved my specifif problem, they should be considered.

EDIT : manifest fixed