有没有办法检测特定的浏览器扩展是否正在与服务器通信?

huangapple go评论128阅读模式
英文:

Is there any way of detecting if a particular browser extension is communicating with a server?

问题

有时候,当我们在Chrome或Firefox上安装浏览器扩展时,会看到关于扩展使用的不同权限的许多警告...我知道我可以以不同的方式监视发生在我的计算机上的所有流量,比如:

  1. 安装像iftop这样的命令行工具,它可以监视我的计算机上的流量(在Linux上)
  2. 安装像Wireshark这样的工具,也可以监视我的计算机上发生的流量
  3. 当我们打开浏览器的Console时,检查浏览器的Network功能

然而,所有这些选项都将监视我的计算机或浏览器的整个流量...我想要监视浏览器扩展的流量,以查看它是否正在与服务器通信。但是使用我提到的工具很难区分特定的流量是否来自Web扩展...有没有办法只检测我选择的Web扩展的流量?我的第一个猜测会是在浏览器控制台上使用某种命令来监视扩展...是否有这样的东西?


当浏览器扩展请求许多权限时,我看到了很多信任问题。我认为,如果我能在一天中监视特定的Web扩展流量并检查它是否正在与服务器通信,那将会更容易处理这个问题...假设有一个Web扩展请求以下权限:

访问您的所有网站的数据
读取和修改书签
从剪贴板获取数据
向剪贴板输入数据
访问浏览历史记录
向您显示通知
访问最近关闭的标签页
访问浏览器标签页
在导航期间访问浏览器活动

我可能错了...但是如果我完全确定这个扩展没有与外部Web服务器通信,我认为一个监视单个扩展流量的方法将非常有用...

英文:

Sometimes when we install browser extensions on Chrome or Firefox we see many warnings about different permissions that those extensions are using... I know I can monitor all the traffic that happens on my computer in different ways like:

  1. Installing a command-line tool like iftop that can monitor the traffic on my computer (on Linux)
  2. Installing a tool like Wireshark and also monitor the traffic happening on my computer
  3. Check the browser Network functionality when we open its Console

However, all these options are going to monitor the entire traffic of my computer or browser... I'd like to monitor the traffic of a browser extension to see if it's communicating with a server. But it gets very hard to distinguish if a particular traffic is coming from a web extension or not using the tools that I've mentioned... Is there any way of detecting just the traffic of the web extension that I've selected? My first guess would be something like a command that I can use on the browser console to monitor the extension... Is there such a thing?


I see a lot of trust issues when a browser extension asks for a lot of permissions. I think it'd be a lot easier to handle this if I could monitor specific web extensions traffic during the day and check if it's communicating with a server or not... Let's say there's a web extension asking the following permissions:

    Access your data for all websites
    Read and modify bookmarks
    Get data from the clipboard
    Input data to the clipboard
    Access browsing history
    Display notifications to you
    Access recently closed tabs
    Access browser tabs
    Access browser activity during navigation

I may be wrong... But I don't see any major problems with an extension asking all these permissions if I'm completely sure that this extension is not communicating with any outside server on the web. So a way of monitoring the traffic of an individual extension would be very useful...

答案1

得分: 2

Google Chrome扩展使用2种类型的文件。一种类型在浏览器中的行为就像普通的JavaScript一样。这些文件的活动记录方式与网站活动在浏览器中的记录方式相同。按下F12键,你可以跟踪它。然后还有背景文件,它们也会被记录。右键单击要查看的扩展,然后单击"管理扩展",然后单击"背景页"。这看起来与在浏览器中按下F12键一样,但这个记录了扩展在后台执行的所有操作。在你的情况下,只需查看网络标签。

另一种确定这一点的方法是下载扩展的源代码。我在Chrome中执行此操作的方法是安装Chrome扩展源代码查看器,现在你可以浏览源代码,查看特定调用的位置。

英文:

Google Chrome extensions use 2 types of files. One type works in the browser just like normal JavaScript. This files activity is logged the same way website activity is logged in your browser. Press F12 and you can track it. Then there are background files, which also get logged. Right click the extension in question then click manage extension and then click backgroundpage. This looks the same as if you are pressing F12 in your browser, but this one logs everything the extension does in the background. In your case just look in the network tab.

Another way to determine this is to download the source of an extension. The way I do this for Chrome is by installing chrome extension source viewer, now you can dig through the source code to see where certain calls get made.

huangapple
  • 本文由 发表于 2020年1月7日 01:26:54
  • 转载请务必保留本文链接:https://go.coder-hub.com/59616419.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定