As a frontend engineer, I often struggle to wait for the BE engineers to develop their APIs before I can get started building UI components.
So far, we would build the naive web components, and wait for the BE APIs before integration. However, this prevented me from developing end to end integrated experiences.
The Chrome WebRequests API mentions that specific request headers are not available to the
onBeforeSendHeaders event, meaning that extensions cannot read and/or modify these headers. Here is an excerpt from the documentation:
The following headers are currently not provided to the
onBeforeSendHeaders event. This list is not guaranteed to be complete nor stable.
Is there a security reason to disable extensions from reading or writing these? How could an extension act malicious if it could read/write these values?
Clarification: I am aware why read access to some of these is a bad idea, most prominently any header featuring authentication data. However, other headers such as
Content-Length are a complete enigma to me.
Furthermore, it’s unclear to me why some of these headers are completely inaccessible to extensions, instead of allowing setting a value or appending a value, even if read access is not granted.
If I understand correctly, Widevine, FairPlay and PlayReady are all security through obscurity. Given the popularity of services using them, can’t someone just RE them and find exactly how their work? If so, was it done? If not, why? If this (can be) done, why people continue using these services?
Related: How does Widevine, FairPlay, and other DRM's work under the hood?
My wife inadvertently clicked on a flash player update and suddenly my chrome browser is being managed by org. something about enterprise policy yadda yadda. I tried deleting chrome and reinstalling but to no avail. How do i get rid of this devil spawn browser hijacker for good?
I’ve been dealing with this Chrome malware for awhile now, and I can’t identify where it’s coming from. Very occasionally, when I click on a top link in Google, it’ll redirect me to a site that looks like this (always the same green circle with the text “Loading”), and then to adware. The redirect is located at a new domain every time, but it’s always the same green circle. Can anyone help? I only have uBlock Origin installed and I installed it via the Chrome Store. I’m on OS X Mojave. Malwarebytes turns up nothing (PUPs enabled).
I want from extension to click the button but button click event is not working as if i use JS DOM Methods:
getElementsByClassName('button').click(); // Not working //or document.querySelector('button').click(); // Not working
The problem is that button is created either on “React.js“, so i think that causes not to happen the button click event.
Please suggest me any solution for this problem.
I’m running Google Chrome Version 83.0.4103.61 (64-bit) on Windows 10, and I’ve suddenly noticed that never mind what website I visit, when I right click “View frame source” is an option.
This strikes me as odd, as that option is usually only available when you’re wanting to view the source code of an iFrame. Whether I click “View frame source” or “View page source” the source code and URL are the same.
But why does Chrome suddenly think that any website I load is being displayed in a frame? Is this cause for concern or am I just being paranoid?
What’s the difference between these two Chrome extensions, which provide VPN functionality for browsing via Chrome:
Urban Shield: https://chrome.google.com/webstore/detail/urban-shield/almalgbpmcfpdaopimbdchdliminoign?hl=en
Urban Free VPN proxy Unblocker: https://chrome.google.com/webstore/detail/urban-free-vpn-proxy-unbl/eppiocemhmnlbhjplcgkofciiegomcon
They are both developed by the same company, but I couldn’t find any explanation regarding the differences between the two.
I’m trying to troubleshoot something on the client and I believe it has something to do with the the browser caching requests.
I’m loading the same page on Firefox and Chrome (Canary). When I look in the network tab, I see different behavior.
There server response has a max-age set for cache control. I see that Chrome always loads from (disk cache) if max-age has not been reached. But for Firefox, I’ll see it load the resource not from cache once in a while before max-age has been reached. Also I’m seeing 304 ‘not modified’ in Firefox, but not in Chrome.
Can someone help explain what I’m seeing?
Here are some screenshots of the Network tabs…
According to Arun on StackOverflow “Starting Chrome 80 version, cookies are encrypted using the AES256-GCM algorithm, and the AES encryption key is encrypted with the DPAPI encryption system, and the encrypted key is stored inside the ‘Local State’ file.”. (https://stackoverflow.com/questions/60230456/dpapi-fails-with-cryptographicexception-when-trying-to-decrypt-chrome-cookies/60611673#60611673).
Now at first glance this looks like an improvement rather than passing cookies to Windows Data Protection API (DPAPI) directly they’re encrypted with a better algorithm and only the key is protected through the API. Stronger encryption is used and Windows Data Protection API encrypts the key. Unfortunately the protection scope is changed from LocalUser to LocalMachine.
It appears that this means if a user were to copy the hard drive by plugging it into another computer they would no longer need your Windows account password to decrypt this key in the local state file with the Windows Data Protection API. In theory this would allow another user on the system to steal passwords and cookies weakening security protections that existed further.
I put together a code demo with Brave Browser demonstrating this risk (see: https://github.com/irlcatgirl/BraveCookieReaderDemo). It’s easy enough to swap paths of SQLite and Local State files for Chrome.
According to https://docs.microsoft.com/en-us/windows/win32/api/dpapi/nf-dpapi-cryptprotectdata#parameters
Typically, only a user with logon credentials that match those of the user who encrypted the data can decrypt the data. In addition, decryption usually can only be done on the computer where the data was encrypted. However, a user with a roaming profile can decrypt the data from another computer on the network. If the CRYPTPROTECT_LOCAL_MACHINE flag is set when the data is encrypted, any user on the computer where the encryption was done can decrypt the data. The function creates a session key to perform the encryption. The session key is derived again when the data is to be decrypted.
Due to a change in scope in Windows DPAPI did this change harm Chrome’s security or am I misinterpreting my findings?