2

I am fairly interested in my website visitor's Chrome extensions, and what they do

( outgoing network communication, file saving, storage, etc. )

Is there any possibility to detect these?

István Pálinkás
  • 2,217
  • 7
  • 25
  • 50
  • 1
    Possibly related: [Can a website block a Chrome Extension?](https://stackoverflow.com/questions/16786186/can-a-website-block-a-chrome-extension) – Xan Jul 15 '16 at 10:37

2 Answers2

3

No.

That would be a nasty invasion of privacy.

The closest you could come to detecting an extension would be to examine the DOM and JS environment of your page and see if the browser modified it in ways you didn't expect … but that would be a massively broad problem to solve, so you could only practically do it to look for very specific effects (which is what ad-blocker-blockers do).

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
  • Oh, I see. So the only type of extensions I can roughly detect is the 'Content scripts' – István Pálinkás Jul 15 '16 at 09:47
  • 1
    @StevenPalinkas No, you cannot detect those, as they run in a context isolated from your page. You can only possibly detect the effects of the extensions on the DOM, and [injected page-level scripts](https://stackoverflow.com/questions/9515704/building-a-chrome-extension-inject-code-in-a-page-using-a-content-script), if any (and they may hide efficiently). – Xan Jul 15 '16 at 10:27
1

For some specific extensions only, you can detect them by trying to load resources from them. This will be testing for specific extensions, and not discovering a list.

This requires you to know the extension ID, path to resource, and the resource has to be in web_accessible_resources. As the name suggests, that makes some files accessible from the web context, so you can try to load them. A network error would signify it's not installed (or no longer has that resource in web-accessible).

Again, that requires you to know the extension you're going to test for in advance, and extensions without web-accessible resources are invisible to this technique.

Notes:

  • Google Cast library uses this technique to probe if its own extension is installed.
  • If it's not, it generates a nasty error in the JS console for the failed network transfer, an error that you cannot silence from JS code — which was enough of an annoying problem that Chrome eventually added a blacklist for those console messages just so it isn't an eyesore.

From that, you can deduce it's probably not a good idea to test for a long list of extensions. It will pollute your console with errors. For cooperating extensions on pre-defined domains, there's a better way to test that it's installed. But that's not your case.

Xan
  • 74,770
  • 16
  • 179
  • 206