How protect chrome extension
https://stackoverflow.com/questions/11877473
-
25-06-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
Chrome extension is packed to zip archive. After setup it is installed on folder and user can access to it. Also he can rewrite extension and even clone to new extension.
How i can protect extension from user modifications and cloning? I find possibility for dll files (can be compiled) - but it is not very nice.
Solution
The premise seems to be simple. By default browser interprets HTML/Javascript, so are the chrome extensions which run along with the page.
One way is to obfuscate your javascript code , or rely on NPAPI compiled-binary plugins, or use NaCL
Obfuscating the code might no longer be a solution after Chrome forbade obfuscating extensions: https://stackoverflow.com/a/49509913
OTHER TIPS
In case you have some proprietary code (e.g. special algo you want to keep safe etc') and you are targeting Chrome - I would suggest to go with Native Client. Nacl let you run C/C++ code in your browser. It's very powerful and you can be sure it will be very hard for someone to pick into your binary.
Currently there is no way you can hide your Chrome extension source code from users or competitors.
There is a statement in Chrome web store faq:
Can I sell extensions in the store? Not yet, but this functionality is coming soon.
You may wait for this feature or try the following alternatives:
Obfuscate your Javascript source: Check this for more details How can I obfuscate (protect) JavaScript?
Keep your key logic on a remote server and make Ajax calls from the background script to communicate to the server
Chrome extensions are free from 'same origin policy' if cross-origin permission is defined in the manifest:
Regular web pages can use the XMLHttpRequest object to send and receive data from remote servers, but they're limited by the same origin policy. Extensions aren't so limited. An extension can talk to remote servers outside of its origin, as long as it first requests cross-origin permissions.
Define the following in your manifest:
{
"name": "your extension",
...
"permissions": [
"http://www.yourserver.com/"
],
...
}
I'm using Gulp plugin for JavaScript obfuscation. It doesn't break extension's code.
