[LibX] Installing toolbar on Chrome

Godmar Back godmar at gmail.com
Tue Aug 7 18:14:57 PDT 2012


I've now restored the hosted .crx so it works using the manual installation
work-around. Existing users also are still able to receive updates (until
Google turns this off in Q3 2013 [1].

I'm discussing some of the issues with the Google developers on the
Chromium Apps mailing list.

There are some we can probably work-around - not using hot-updatable code,
for instance, or using a templating framework such as Angular that doesn't
require the now-illegal 'eval()'.

There are others that are less clear. For instance, our Libapp framework
fundamentally relies on (really anyone) to create modules to which users
could potentially subscribe, or edition maintainers could subscribe their
users to them. That's similar to userscripts.org, a web site which has now
ceased to function for Chrome v21 users (except when using that
work-around.)  I'm curious to see if I get a response from Google whether
they'll allow that at all. If not, we could still offer the LibX popup and
Libapps created by us; but the Libapp Builder would probably be much less
useful.

 - Godmar

[1] http://code.google.com/chrome/extensions/manifestVersion.html

On Tue, Aug 7, 2012 at 2:59 PM, Mei Ling Lo <mlo at rulmail.rutgers.edu> wrote:

> Thanks for the update.  This is REALLY bad news.  I have more users who
> have switched to Chrome.  There is also a potential danger that Firefox may
> follow Chrome's footsteps for security reasons.  I wonder how Yahoo handles
> their toolbar...
>
> Well, the glass is still half full - at least you know what the problem is!
>
> Mei Ling
>
>
> On Aug 7, 2012, at 12:44 PM, Godmar Back <godmar at gmail.com> wrote:
>
>
> There is a bit of bad news here :-(
>
> I was trying to get LibX included in the Chrome Web Store so that users do
> not have to use that work-around (which I find unacceptable).  This
> requires updating LibX to conform to more stringent security policies
> Google has put in place, namely the use of a so-called manifest version 2.
>  (Even if LibX doesn't get into the Web Store, Chrome will stop supporting
> any manifest version 1 extensions in 2013.)
>
> Unfortunately, manifest version 2 severely tightens security in so many
> ways upon which LibX depends. In particular, they don't allow the use of
> the JavaScript eval() function. LibX relies on it in multiple ways:
>
> - to push immediate updates to users when we make hotfixes
> - to implement modules & libapps in LibX 2.0 where userscript-like js is
> served via the libapp feeds.
> - the preference pages are implemented using a custom templating system
> which relies on JsPlate.js, which, you guessed it, is based on eval().
>
> All in all, that's a huge effort, I'd expect several man months. Quite
> frankly, I don't know if we have those resources.  To add to the misery,
> I've overly optimistically made some of those changes (e.g., upgraded the
> manifest to version 2) in the current build at libx.org/releases, which
> is non-functional.  I could revert those, but don't see the reason since
> the result a) won't be installable except using the work-around and b)
> wouldn't run in a few months anyway. This is particularly bad since Chrome
> had become our reference platform (Brian Nicholson developed LibX 2.0 on
> it, then basically ported it to Firefox).
>
> I must admit that Google announced this roadmap (*) earlier this year, but
> we weren't following it/didn't understand its impact. The most recent
> policy change was unannounced.
>
> From a Computer Science perspective, Google is applying sound security
> principles. However, most of the existing software infrastructure relies on
> the old, relaxed security assumptions JavaScript developers have been
> practicing for the last decade.  I'm guessing that their move now was
> forced, that is, due to the severe financial impact/cost of dealing with
> malicious extensions that trick users into downloading them, then stealing
> web information.
>
> It remains to be seen if Firefox is going to follow suit here or not
> (currently, FF extensions don't use a manifest at all and give full access
> to the downloaded code.)
>
>  - Godmar
>
> (*) http://code.google.com/chrome/extensions/manifestVersion.html
>
> On Mon, Aug 6, 2012 at 11:45 AM, Mei Ling Lo <mlo at rutgers.edu> wrote:
>
>> Last week when a user told me about the problem of installing the toolbar
>> on Chrome, I was not sure what was going on.  The news posted on LibX web
>> site this morning solved the mystery.  For those of you who have not seen
>> it, you may be interested in reading it.
>>
>> http://libx.org/work-around-for-installing-libx-on-google-chrome/
>>
>> Thank you.
>>
>> Mei Ling
>>
>> _______________________________________________
>> Libx mailing list
>> Libx at mozdev.org
>> https://www.mozdev.org/mailman/listinfo/libx
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.mozdev.org/pipermail/libx/attachments/20120807/e992ef1f/attachment.html>


More information about the Libx mailing list