Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How protect chrome extension

Chrome extension is packed to zip archive. After setup it is installed on folder and user can access to it. Also he can rewrite extension and even clone to new extension.

How i can protect extension from user modifications and cloning? I find possibility for dll files (can be compiled) - but it is not very nice.

like image 811
mpz Avatar asked Aug 09 '12 05:08

mpz


4 Answers

In case you have some proprietary code (e.g. special algo you want to keep safe etc') and you are targeting Chrome - I would suggest to go with Native Client. Nacl let you run C/C++ code in your browser. It's very powerful and you can be sure it will be very hard for someone to pick into your binary.

like image 140
Ido Green Avatar answered Sep 22 '22 17:09

Ido Green


The premise seems to be simple. By default browser interprets HTML/Javascript, so are the chrome extensions which run along with the page.

One way is to obfuscate your javascript code , or rely on NPAPI compiled-binary plugins, or use NaCL

Obfuscating the code might no longer be a solution after Chrome forbade obfuscating extensions: https://stackoverflow.com/a/49509913

like image 27
Satish Avatar answered Sep 21 '22 17:09

Satish


Currently there is no way you can hide your Chrome extension source code from users or competitors.

There is a statement in Chrome web store faq:

Can I sell extensions in the store? Not yet, but this functionality is coming soon.

You may wait for this feature or try the following alternatives:

  • Obfuscate your Javascript source: Check this for more details How can I obfuscate (protect) JavaScript?

  • Keep your key logic on a remote server and make Ajax calls from the background script to communicate to the server

Chrome extensions are free from 'same origin policy' if cross-origin permission is defined in the manifest:

Regular web pages can use the XMLHttpRequest object to send and receive data from remote servers, but they're limited by the same origin policy. Extensions aren't so limited. An extension can talk to remote servers outside of its origin, as long as it first requests cross-origin permissions.

Define the following in your manifest:

{
    "name": "your extension",
    ...
    "permissions": [
        "http://www.yourserver.com/"
    ],
    ...
}
like image 29
Sunil Manheri Avatar answered Sep 18 '22 17:09

Sunil Manheri


I'm using Gulp plugin for JavaScript obfuscation. It doesn't break extension's code.

like image 42
user1635430 Avatar answered Sep 22 '22 17:09

user1635430