Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How protect chrome extension

Tags:

source-code-protection

google-chrome-extension

Chrome extension is packed to zip archive. After setup it is installed on folder and user can access to it. Also he can rewrite extension and even clone to new extension.

How i can protect extension from user modifications and cloning? I find possibility for dll files (can be compiled) - but it is not very nice.

like image 811
mpz Avatar asked Aug 09 '12 05:08

mpz

4 Answers

In case you have some proprietary code (e.g. special algo you want to keep safe etc') and you are targeting Chrome - I would suggest to go with Native Client. Nacl let you run C/C++ code in your browser. It's very powerful and you can be sure it will be very hard for someone to pick into your binary.

like image 140
Ido Green Avatar answered Sep 22 '22 17:09

Ido Green

The premise seems to be simple. By default browser interprets HTML/Javascript, so are the chrome extensions which run along with the page.

One way is to obfuscate your javascript code , or rely on NPAPI compiled-binary plugins, or use NaCL

Obfuscating the code might no longer be a solution after Chrome forbade obfuscating extensions: https://stackoverflow.com/a/49509913

like image 27
Satish Avatar answered Sep 21 '22 17:09

Satish

Currently there is no way you can hide your Chrome extension source code from users or competitors.

There is a statement in Chrome web store faq:

Can I sell extensions in the store? Not yet, but this functionality is coming soon.

You may wait for this feature or try the following alternatives:

  • Obfuscate your Javascript source: Check this for more details How can I obfuscate (protect) JavaScript?

  • Keep your key logic on a remote server and make Ajax calls from the background script to communicate to the server

Chrome extensions are free from 'same origin policy' if cross-origin permission is defined in the manifest:

Regular web pages can use the XMLHttpRequest object to send and receive data from remote servers, but they're limited by the same origin policy. Extensions aren't so limited. An extension can talk to remote servers outside of its origin, as long as it first requests cross-origin permissions.

Define the following in your manifest:

{
    "name": "your extension",
    ...
    "permissions": [
        "http://www.yourserver.com/"
    ],
    ...
}
like image 29
Sunil Manheri Avatar answered Sep 18 '22 17:09

Sunil Manheri

I'm using Gulp plugin for JavaScript obfuscation. It doesn't break extension's code.

like image 42
user1635430 Avatar answered Sep 22 '22 17:09

user1635430
Sign in to Comment

Related questions

How long before stats and ratings display for new Chrome Extensions in Web Store? [closed]
chrome extension storage: set/get value
How to steal focus from the omnibox in a Chrome extension on the new tab page?
Sending message to background script
How to specify icons in manifest.json?
How to add multiple domains to content_security_policy in a Chrome plugin?
Can I access JavaScript snippets using chrome.devtools API?
Chrome.webRequest API - requestBody always undefined
Run Chrome Extensions using command prompt
Firebase authentication in Chrome Extension popup
Chrome Extension - Invalid Package. Details:Can't unzip the extension
Chrome Extension : How to handle disable and enable event from browser
Opening a new tab on Google Chrome Extension
Alert not appearing in popup.html of chrome extension
Get JSON in a Chrome extension
How do you get the device name (or hostname) from a Chrome Extension?
chrome.webRequest.onAuthRequired Listener
chrome-extension:// links open about:blank
Get id_token with Chrome Identity API
Deleting DOM elements before the Page is displayed to the screen (in a Chrome extension)

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!