问题描述
是否可以阻止Chrome扩展程序在特定网站上运行?
说我有一个网站,我可以阻止Chrome扩展(特别是内容脚本)在我的网站上工作,还是阻止他们访问DOM?
对于问题的简短回答,请参阅第四编辑:
您需要知道要阻止的扩展名的extensionId,以便它可以工作。
这是一个来自Prove概念
这里是解决方案背后的信息:
现在你知道什么Ext正在运行你可以,重定向/阻止/...
我希望它有帮助。
编辑:
在Windows XP上测试(Chrome版本27.0.1453.94)
编辑2:
此技术仅在以下情况下有效:
- 您知道extensionid:)
- 重要!至少有一个Ressource(如manifest.json,某些图像,脚本,...)
设置为web_accessible_resources(在清单中)或
扩展名仍使用清单版本1,并且没有设置web_accessible_resources。 (来自chrome开发网站的Ressource )
编辑3:
案例扩展名: JSONView
您可以使用此代码检测扩展名(仅示例代码):
< script src =chrome-extension://chklaanhfefbnpoihckbnefhakgolnmc/error.gifonerror =console.info('Extension Not Found')onload =console.info('扩展名')>< / script>
<! - 由于文件error.gif在清单web_accessible_resources中被允许(任何提到的其他文件也会很好) - >
<! - 块代码应该出现在脚本标签的onload中 - >
<! - 使用Chrome 27+ WinXp测试 - >
某些上下文
JSONView扩展版有一个版本2清单:
...
manifest_version:2,
name:JSONView ,
...
因此,默认情况下,您无法访问清单文件,如
但是它使用清单中的web_accessible_resources属性,网站从扩展程序访问文件。
...
web_accessible_resources:[jsonview.css jsonview-core.css,content_error.css,options.png,close_icon.gif,error.gif]
...
所以现在你可以从你的网页调用这些文件。
示例: p>
chrome-extension://chklaanhfefbnpoihckbnefhakgolnmc/error.gif
chrome-extension://chklaanhfefbnpoihckbnefhakgolnmc/jsonview.css
...
在图像/脚本/ .. -Tag中使用此URL可以知道扩展是否存在,如果onload事件触发。 p>
Ps:我只在Chrome版本27.0.1453.94上测试过),在其他版本中,Windows XP可能无法正常工作。 (见T.J.Gerder的评论)
P.P.s .:有关详细信息,请查看Chrome Developer Ressources。以下是Chrome Ressource页面上的扩展程序链接: )
编辑4:
我不认为它可以被阻止但是如果您可以如上所述检测到扩展名,您可以:
- 重定向离开您的页面
- 或弹出消息(每隔几秒钟),说禁用此站点的扩展名
- ,或者您可以检查扩展代码,看看是否有可能打破或阻碍其功能。或者您可以在 BeardFist
的答案中使用一些代码
Is it possible to block Chrome Extensions from running on particular websites?
Say I have a website www.foo.com, is it possible for me to block Chrome Extensions (in particular, content scripts) from working on my website, or stop them from accessing the DOM?
For the short Answer to the question goto the 4th Edit:
You need to know the extensionId from the Extension you want to block, so that it works.
Here is a Testsite from the Prove of ConceptTestsite
and here is the information behind the Solution:Intro to Chrome addons hacking: fingerprinting
Now that you know what Extensions are Running you can, redirect/block/...
I hope it helps.
Edit:
Tested with (Chrome Version 27.0.1453.94) on Windows XP
Edit 2:
This technique will only work if:
- You know the extensionid :)
- IMPORTANT! at least one Ressource(like the manifest.json, some image, script, ...)is set as "web_accessible_resources" (in the manifest) OR theextension still uses a manifest version 1 and has no "web_accessible_resources" set. (Ressource from chrome dev site Link)
Edit 3:
Case Extension: JSONView
You could detect the extension with this code(only example code):
<script src="chrome-extension://chklaanhfefbnpoihckbnefhakgolnmc/error.gif" onerror="console.info('Extension Not Found')" onload="console.info('Extension Found')"></script>
<!-- since the the file error.gif is allowed in the manifest "web_accessible_resources" (any other file mentioned there would also be fine) -->
<!-- the block code should come in the onload of the script tag -->
<!-- tested with Chrome 27+ WinXp -->
Some Context:The JSONView Extension has a version 2 Manifest:
...
"manifest_version": 2,
"name": "JSONView",
...
so by default you cannot access the manifest file as mentioned in the "Prove of Concept" above.
BUT it uses the "web_accessible_resources" attribute in the Manifest, which allows websites to access files from the Extension.
...
"web_accessible_resources": [ "jsonview.css", "jsonview-core.css", "content_error.css", "options.png", "close_icon.gif", "error.gif" ]
...
So now you can call any of this files from your webpage.
example:
chrome-extension://chklaanhfefbnpoihckbnefhakgolnmc/error.gif
chrome-extension://chklaanhfefbnpoihckbnefhakgolnmc/jsonview.css
...
And with this url in an Image/Script/.. -Tag you can know if the extension is there, if the onload Event fires.
P.s.: i only tested this with Chrome Version 27.0.1453.94) on Windows XP, in other Versions it might not work. (see comment from T.J. Crowder)
P.P.s.: For More Details check the Chrome Developer Ressources. Here is the Link to the Extension on the Chrome Ressource Page "Finger printing" Stuff)
Edit 4:
I don't think it can be blocked per se, but if you can detect the extension as mentioned above you could:
- redirect away from your Page
- or Popup a message(every few seconds) saying, "disable the extension for this Site"
- or you could check the Extension code to see if you maybe could "break" or hinder its functionality.
- or you could use some Code like in the answer of BeardFist
这篇关于一个网站可以阻止Chrome扩展吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!