Problem to solve with my extension!

(Leonardo Sedevcic) #1

So here is my question i did a picture, hope it’s really clear !


(Andrei Petcu) #2

It’s impossible. Anything your extension does, your user can do.


(Niklas Gollenstede) #3

Basically, yes. But what exactly is your thread model?

If you want to make sure that nobody tempered with the file, you can digitally sign it.

You will indeed not be able to prevent users from reading it. Whatever you implement, at some point you need to read the data and the user can intercept that (with the extension debugger).

If you think that what your extension does pisses off the users so much that they try to disable the extension by blocking the download,

  • you should rethink what you are doing in the first place
  • you could block everything as long as the file can’t be loaded
  • randomize host names and URLs, if you can control DNS resolution and have a sufficiently random set of IPs available.

(Leonardo Sedevcic) #4

the only thing i want is to make the url of that db file can not be downloaded by an user who simply type the url.


(Niklas Gollenstede) #5

I still don’t see the motivation behind that, but if the “simply” ist the focus here, you can use any kind of encryption that is simple enough for your extension but not “simple” for the user".

You could do actual crypto with some hardcoded key or even just an XOR with a constant value.


(Leonardo Sedevcic) #6

It is possible inside the background.js to encrypt the url??

instad of having: fetch(‘’)

fetch(‘01111000 01101111 01110010’) ?



(Martin Giger) #7

That won’t help much, developer tools will still show the raw URL etc.

And didn’t we solve this issue in an earlier thread already, where you’d block the request using webRequest once you had the data loaded?


(Leonardo Sedevcic) #8
'use strict';

let db = []; // session Global

// ----- parse & cache the database data
.then(response => response.text())
.then(text => { db = text.trim().split(/[\r\n]+/); })
.catch(error => console.log(error));

chrome.webRequest.onBeforeRequest.addListener( details => {

let url = new URL(details.url);
return { cancel: url && url.hostname && db.includes(url.hostname) };
  {urls: ["http://*/*", "https://*/*"]},

chrome.extension.isAllowedIncognitoAccess(function(isAllowedAccess) {
if (isAllowedAccess) return; // Great, we've got access


(Leonardo Sedevcic) #9

I got a response from a developer who told me that:

You need to rethink your data model. If you don’t want the DB to be publicly accessible then it simply can’t be publicly accessible.

Instead of your script downloading the DB to the client and processing the request locally, you could send the request to your server. Your server then performs the necessary lookup (on the “hidden” database) and sends back a response. Your script then acts on this response.

You obviously need to rewrite your background.js script, but I don’t think the core principles are really any different. Instead of fetch() your entire DB file at the start of the script and using JS to lookup the URL. You fetch() your server-side script in the event listener and pass the URL, either as a URL param, or custom header. Your server-side script (PHP, python, C#?) then looks the URL up in the DB (if this is “huge” then you will get better performance using a relational DB) and sends the boolean response back to the client.

How can i achieve that with my extension ?? Thanks !


(Denis Lisov) #10

Why do you need to hide that data? Is this the blacklist of URLs/domains that you want to be not visible to the users under the addon “protection”?

If so, I’d suggest making the blacklist contain not the domains themselves, but a list of hashes (like sha256 or so). Your addon will be able to check by hashing the domain name and testing whether the hash is in the set of blacklisted hashes, while your users won’t be able to reconstruct URLs from hashes.


(Leonardo Sedevcic) #11

Thanks it’s solved now !