Problem to solve with my extension!

So here is my question i did a picture, hope it’s really clear !

It’s impossible. Anything your extension does, your user can do.

Basically, yes. But what exactly is your thread model?

If you want to make sure that nobody tempered with the file, you can digitally sign it.

You will indeed not be able to prevent users from reading it. Whatever you implement, at some point you need to read the data and the user can intercept that (with the extension debugger).

If you think that what your extension does pisses off the users so much that they try to disable the extension by blocking the download,

  • you should rethink what you are doing in the first place
  • you could block everything as long as the file can’t be loaded
  • randomize host names and URLs, if you can control DNS resolution and have a sufficiently random set of IPs available.

the only thing i want is to make the url of that db file can not be downloaded by an user who simply type the url.

I still don’t see the motivation behind that, but if the “simply” ist the focus here, you can use any kind of encryption that is simple enough for your extension but not “simple” for the user".

You could do actual crypto with some hardcoded key or even just an XOR with a constant value.

It is possible inside the background.js to encrypt the url??

instad of having: fetch(‘http://thepandorabox.be/pandora_db/dburl.dat’)

fetch(‘01111000 01101111 01110010’) ?

thanks

That won’t help much, developer tools will still show the raw URL etc.

And didn’t we solve this issue in an earlier thread already, where you’d block the request using webRequest once you had the data loaded?

'use strict';

let db = []; // session Global

// ----- parse & cache the database data
fetch('http://myurl/db/db.dat')
.then(response => response.text())
.then(text => { db = text.trim().split(/[\r\n]+/); })
.catch(error => console.log(error));

chrome.webRequest.onBeforeRequest.addListener( details => {

let url = new URL(details.url);
return { cancel: url && url.hostname && db.includes(url.hostname) };
  }, 
  {urls: ["http://*/*", "https://*/*"]},
  ["blocking"]
);

chrome.extension.isAllowedIncognitoAccess(function(isAllowedAccess) {
if (isAllowedAccess) return; // Great, we've got access


})

I got a response from a developer who told me that:

You need to rethink your data model. If you don’t want the DB to be publicly accessible then it simply can’t be publicly accessible.

Instead of your script downloading the DB to the client and processing the request locally, you could send the request to your server. Your server then performs the necessary lookup (on the “hidden” database) and sends back a response. Your script then acts on this response.

You obviously need to rewrite your background.js script, but I don’t think the core principles are really any different. Instead of fetch() your entire DB file at the start of the script and using JS to lookup the URL. You fetch() your server-side script in the event listener and pass the URL, either as a URL param, or custom header. Your server-side script (PHP, python, C#?) then looks the URL up in the DB (if this is “huge” then you will get better performance using a relational DB) and sends the boolean response back to the client.

How can i achieve that with my extension ?? Thanks !

Why do you need to hide that data? Is this the blacklist of URLs/domains that you want to be not visible to the users under the addon “protection”?

If so, I’d suggest making the blacklist contain not the domains themselves, but a list of hashes (like sha256 or so). Your addon will be able to check by hashing the domain name and testing whether the hash is in the set of blacklisted hashes, while your users won’t be able to reconstruct URLs from hashes.

Thanks it’s solved now !