Install Chrome extension automatically

Question

I've written a NPAPI plugin and I want to implement an NSIS installer that can install the plugin automatically.

I've googled a lot and found that from Chrome browser v25, *.crx package installation using the Windows registry does not work any more(the installed extension will be disabled by default). It seems that Google does not allow any automatic extension installations without being approved by user.

However, I also found that if I install the plugin dll (instead of crx) on user's local machine and write reg keys to HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MozillaPlugins\@myplugin.com/myplugin with correct dll path, the plugin could be installed automatically as long as my user downloaded and executed my installer, without any notification that the new plugin was going to be installed.

My question is that why my installer works? Is it in contradiction with Google's policy? Shouldn't all the plugins installed under HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MozillaPlugins be blocked or disabled by default?

Answer 1

Extensions and NPAPI plugins are very, very different, as are the associated risks to users, and they therefore have different policies.

Extensions can't be silently installed because that ends up being used to install malicious extensions that do things like change browser settings and make them hard to change back, easily harvest sensitive information from sites users visit, inject extra ads on every site the user visits (and/or replace ads that support sites with ads that just pay the malware authors), etc.

NPAPI plugins, on the other hand, do absolutely nothing in the browser unless specifically loaded by a page. They aren't particularly interesting as malware, because the added capability that NPAPI plugins give you is the ability to run native code. But if a malware author can get someone to run an installer to install the plugin, they could just as easily install something else instead that runs native code continuously in the background, rather than only when a user visits a site that triggers a plugin (and they can much more easily hide that than a plugin, which has to be in a known location, and shows up in Chrome).

The danger with NPAPI is around exploits of already-installed, non-malicious plugins, whereas the installation of malicious extensions is a real issue.