网站可以阻止 Chrome 扩展程序吗? [英] Can a website block a Chrome Extension?
问题描述
是否可以阻止 Chrome 扩展程序在特定网站上运行?
假设我有一个网站 www.foo.com,我是否可以阻止 Chrome 扩展程序(特别是内容脚本)在我的网站上工作,或阻止他们访问 DOM?
对于问题的简短回答转到第 4 次
您需要知道要阻止的扩展程序的 extensionId,以便它可以工作.
这是来自概念验证的测试站点测试站点
这里是解决方案背后的信息:Chrome插件黑客简介:指纹识别>
既然您知道了正在运行的扩展程序,您就可以重定向/阻止/...
希望能帮到你.
在 Windows XP 上测试(Chrome 版本 27.0.1453.94)
编辑 2:
此技术仅适用于:
- 你知道 extensionid :)
- 重要提示! 至少一个资源(如 manifest.json、一些图像、脚本等)设置为web_accessible_resources"(在清单中)或扩展仍然使用清单版本 1,并且没有设置web_accessible_resources".(资源来自 chrome 开发站点 链接)
编辑 3:
案例扩展:JSONView
您可以使用此代码(仅示例代码)检测扩展:
<script src="chrome-extension://chklaanhfefbnpoihckbnefhakgolnmc/error.gif" onerror="console.info('Extension Not Found')" onload="console.info('Extension Found')"></脚本><!-- 因为文件 error.gif 在清单web_accessible_resources"中是允许的(那里提到的任何其他文件也可以)--><!-- 块代码应该在脚本标签的加载中--><!-- 使用 Chrome 27+ WinXp 测试-->一些背景:JSONView 扩展有一个版本 2 清单:
<代码>...清单版本":2,"name": "JSONView",...
因此默认情况下,您无法访问上面概念证明"中提到的清单文件.
但是它使用清单中的"web_accessible_resources"属性,允许网站从扩展程序访问文件.
<代码>..."web_accessible_resources": [ "jsonview.css", "jsonview-core.css", "content_error.css", "options.png", "close_icon.gif", "error.gif"]...
所以现在您可以从您的网页调用这些文件中的任何一个.
示例:
chrome-extension://chklaanhfefbnpoihckbnefhakgolnmc/error.gif铬扩展://chklaanhfefbnpoihckbnefhakgolnmc/jsonview.css...使用 Image/Script/.. -Tag 中的这个 url,您可以知道扩展是否存在,如果 onload 事件触发.
P.s.:我只在 Windows XP 上用 Chrome 版本 27.0.1453.94 测试过这个,在其他版本中它可能不起作用.(见 T.J. Crowder 的评论)
P.P.s.:有关更多详细信息,请查看 Chrome 开发人员资源.这是 Chrome 资源页面上的扩展程序链接指纹"内容)
编辑 4:
我不认为它本身可以被阻止,但是如果您可以检测到上述扩展程序,您可以:
- 重定向离开您的主页
- 或弹出一条消息(每隔几秒)说禁用此站点的扩展程序"
- 或者您可以检查扩展代码,看看您是否可能破坏"或阻碍其功能.
- 或者您可以使用一些代码,例如 BeardFist 的答案
Is it possible to block Chrome Extensions from running on particular websites?
Say I have a website www.foo.com, is it possible for me to block Chrome Extensions (in particular, content scripts) from working on my website, or stop them from accessing the DOM?
For the short Answer to the question goto the 4th Edit:
You need to know the extensionId from the Extension you want to block, so that it works.
Here is a Testsite from the Prove of Concept Testsite
and here is the information behind the Solution: Intro to Chrome addons hacking: fingerprinting
Now that you know what Extensions are Running you can, redirect/block/...
I hope it helps.
Edit:
Tested with (Chrome Version 27.0.1453.94) on Windows XP
Edit 2:
This technique will only work if:
- You know the extensionid :)
- IMPORTANT! at least one Ressource(like the manifest.json, some image, script, ...) is set as "web_accessible_resources" (in the manifest) OR the extension still uses a manifest version 1 and has no "web_accessible_resources" set. (Ressource from chrome dev site Link)
Edit 3:
Case Extension: JSONView
You could detect the extension with this code(only example code):
<script src="chrome-extension://chklaanhfefbnpoihckbnefhakgolnmc/error.gif" onerror="console.info('Extension Not Found')" onload="console.info('Extension Found')"></script>
<!-- since the the file error.gif is allowed in the manifest "web_accessible_resources" (any other file mentioned there would also be fine) -->
<!-- the block code should come in the onload of the script tag -->
<!-- tested with Chrome 27+ WinXp -->
Some Context: The JSONView Extension has a version 2 Manifest:
...
"manifest_version": 2,
"name": "JSONView",
...
so by default you cannot access the manifest file as mentioned in the "Prove of Concept" above.
BUT it uses the "web_accessible_resources" attribute in the Manifest, which allows websites to access files from the Extension.
...
"web_accessible_resources": [ "jsonview.css", "jsonview-core.css", "content_error.css", "options.png", "close_icon.gif", "error.gif" ]
...
So now you can call any of this files from your webpage.
example:
chrome-extension://chklaanhfefbnpoihckbnefhakgolnmc/error.gif
chrome-extension://chklaanhfefbnpoihckbnefhakgolnmc/jsonview.css
...
And with this url in an Image/Script/.. -Tag you can know if the extension is there, if the onload Event fires.
P.s.: i only tested this with Chrome Version 27.0.1453.94) on Windows XP, in other Versions it might not work. (see comment from T.J. Crowder)
P.P.s.: For More Details check the Chrome Developer Ressources. Here is the Link to the Extension on the Chrome Ressource Page "Finger printing" Stuff)
Edit 4:
I don't think it can be blocked per se, but if you can detect the extension as mentioned above you could:
- redirect away from your Page
- or Popup a message(every few seconds) saying, "disable the extension for this Site"
- or you could check the Extension code to see if you maybe could "break" or hinder its functionality.
- or you could use some Code like in the answer of BeardFist
这篇关于网站可以阻止 Chrome 扩展程序吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
