Privacy - Track Chrome extension's outgoing AJAX queries

Question

Is there any possible way to track a Chrome extension's outgoing network communication from a website?

Let's assume, that a Chrome 'content script' extension sends AJAX queries to a server on a specified IP to create custom analytics. This extension works in the browser while the user browses through various websites.

Is there any possibility for these websites to track what the extension does ( that it opens AJAX ) or where it sends data to? ( To which IP it was trying to send AJAX query )

UPDATE

To be clear, I am curious about an independent third-party website's tracking abilities, not the extension-user's.

UPDATE

More clarification: the extension is sending request to a server not related to the servers/websites the user is browsing.

EXAMPLE

User is browsing Youtube, and Facebook daily. This extension sends AJAX queries to a storage server where the user's visited URL-s are stored. ( Youtube and Facebook ). What I would like to know is, does f.e. Facebook know, that this extension does this, and what's the IP of the storage server?

I think if content_scripts does not have access to variables or functions defined by web pages then converse assertion too true. That is web page can't track request from content_scripts. [Execution environment](https://developer.chrome.com/extensions/content_scripts#execution-environment) — UserName, Jul 21 '16 at 09:38

score 2 · Accepted Answer · answered Jul 21 '16 at 09:45

Basically, no, because of the concept of isolated world. Emphasis mine:

Content scripts execute in a special environment called an isolated world. They have access to the DOM of the page they are injected into, but not to any JavaScript variables or functions created by the page. It looks to each content script as if there is no other JavaScript executing on the page it is running on. The same is true in reverse: JavaScript running on the page cannot call any functions or access any variables defined by content scripts.

So if you were thinking of doing something like overriding XMLHttpRequest, this would not work, as a content script has a "safe harbour" you can't touch.

And that's even before the possibility to delegate network operations to the background script, which is a completely different origin.

There is an exception to this: an extension can sometimes inject code directly into the page context. Then it coexists with the website JavaScript and in theory one can spy on another. In practice, however, an extension can execute its code before any of the website's code has a chance to react, and therefore stealth / shield itself from interference.

score 0 · Answer 2 · answered Jul 21 '16 at 08:45

0

Maybe this is overkill but you can try to sniff your own traffic using Wireshark (or any other program) and have a look at the requests. If they are using https then things will be harder and you will have to decrypt the traffic.

answered Jul 21 '16 at 08:45

Pablo Jiménez

56
4

Thanks Pablo, but if I understand it right, Wireshark and similar stuff need to be installed on the client's computer ( the one that uses the extension ) and not on the visited website's owner. I will now make an update on my question to make sure I am clear about that I am curious about an independent website's tracking abilities, not mine as the user of the extension. – István Pálinkás Jul 21 '16 at 09:06
1

Yes, I understood it the wrong way. I think they can track the origin of the request. For example, imagine that you are retrieving a JSON from _api/getUser.php?id=1_ They will be able to check $_SERVER: [$_SERVER PHP](http://php.net/manual/en/reserved.variables.server.php) – Pablo Jiménez Jul 21 '16 at 09:13
Yeah, that is right. I need to clarify it a bit more. The extension sends requests to another server not related to the server on which the extension-user is browsing. ( Using cross domain JSONP reuqest ) I will append this clarification to my question soon. – István Pálinkás Jul 21 '16 at 09:20

Privacy - Track Chrome extension's outgoing AJAX queries

2 Answers2