tksugimoto / chrome-extension_open-local-file-link

ローカルファイルへのリンク(file://~)を開けるようにするChrome拡張
https://chrome.google.com/webstore/detail/nikfmfgobenbhmocjaaboihbeocackld
MIT License
95 stars 38 forks source link

[Feature request] Specify domains where this is allowed #7

Open marnickmenting opened 7 years ago

marnickmenting commented 7 years ago

I want to use this plugin at my users of an intranet page. But I don't want to allow all websites (including malicious ones) to open local files. So I would like to have an option to only allow opening links on certain domains. I am a full-stack programmer, but have no experience in developing Chrome plugins, but I am happy to help.

tksugimoto commented 7 years ago

I understood the request.

There are two methods below.

  1. Restrict pages (domains, URLs, etc.) on which the extension works.
  2. Judge each list with the list of permitted pages.

The first method is the fastest if you only use it. Chrome extension can read and use local source code. (It can not be applied to expansion already published because the target page is different depending on the person.)

Also, for example, if you are an official of the information system department of the company and you are thinking of employees to use Chrome extensions, it's a good idea to choose this method and register it as a new private extension is. Because the second way is not to force each user to set it.

The first method can be realized by editing manifest.json. manifest.json#L23's matches property Match Patterns - Google Chrome

The second way is possible by editing the chrome.runtime.onMessage.addListener () part of background.js. background.js#L27 The url property exists in the second argument sender of the callback function. runtime#event-onMessage runtime#type-MessageSender


I do not feel the need to limit pages that can open local files. I do not know the dangers of the local file being opened by "user click" on "new tab". Without using this Chrome extension, it is possible to display in Chrome by dragging and dropping local files. If there is a problem only by displaying a specific local file, it seems that the existence of such a file locally is a problem.

Also, I think that it is more effective to open up local files from malicious pages and worry about whether the extension you are using is not malicious. Chrome extensions can do so many things. For example, it is possible to send all the browsing information to the outside by reading "all data of yourself on the website you accessed" requested by this extension. (※ This extension is not done)

Hemp0r commented 5 years ago

We also would like to use this extension, but we also have the need to restrict / whitelist pages for local file use. It's easier for us and others, to have the possibility to have whitelisting as an option. So we don't have to edit the manifest and publish it by ourself.

I could, if you want, fork this repo, make these changes as mentioned and create a pull request to his. Otherwise I have to create a new extension and publish it by myself. (which I don't prefer)

tksugimoto commented 5 years ago

@Hemp0r I'm sorry for the late reply.

From Chrome 70, you can now limit pages that run on Chrome side, not Chrome extensions. Chromium Blog: Trustworthy Chrome Extensions, by default

If it is OK with the opt-out method, I think that it is more certain and simple to use the function of Chrome side rather than coping with the function of Chrome extension side.

If an opt-in method (which does not require any authority at installation) is desired, pull requests are welcome. In the past I tried to develop the minimum privilege version using chrome.permissions.request, but development is stagnating because time is short. In addition, since the opt-in method that the user needs to set after installing the page to be activated is not for everyone, I will consider releasing it separately as an advanced version.

Screenshots

Right-click the Chrome extension icon on each web page

image

Management page of Chrome extension

chrome://extensions/?id=nikfmfgobenbhmocjaaboihbeocackld

image

My environment

Version 71.0.3578.80 (Official Build) (64-bit)