Google recently launched a redesigned version of its Web Store where one can install extensions and web apps. One particular feature caught my attention: it marks the extensions that you already have with a check mark. How does the web page know which extensions you have installed?
Turns out the answer is simple. The Web Store is a pre-installed web app (actually, it is even hardcoded into the browser). Web apps in Chrome can have special privileges if they request them, same as extensions. A look at the Preferences file shows the privileges of the Web Store app: management API and webstorePrivate API. The former allows querying your installed extensions which explains how the website learns about them. But it can do more: enable or disable extensions and even uninstall them without any kind of visible notification.
The webstorePrivate API is (as its name already says) meant for the Web Store only. It isn’t documented online but you can find the documentation if you search in the chrome.dll file. It is apparently the Chrome equivalent of Gecko’s InstallTrigger, with the difference that Firefox makes InstallTrigger available to all websites. But its functionality goes beyond that. First of all there is a method silentlyInstall(), the documentation claims that only some extensions can be installed this way however. The list can be found in extension_webstore_private_api.cc file in the Chrome source code. Apparently, the trusted extensions are currently Google +1 Button and Google+ Notifications. There are 6 more extension IDs on the list which are currently unused (but Google could add these extensions to the Web Store at any time).
If you use Sync in Google Chrome then Web Store already knows you — thanks to method getBrowserLogin(). And if you don’t, the method pair setStoreLogin() / getStoreLogin() makes sure that the store never forgets you even if you remove your cookies.
So much about the Web Store web app. But from my Preferences file I learned that I have more web apps that I never installed. YouTube? Gmail? Where did these come from? Turns out, these web apps had some help getting their top popularity in the Web Store. My Google Chrome installations (at least Chrome 16 and Chrome 17, not Chrome 15 for some reason) have a file default_apps/external_extensions.json where these apps are defined. Removing this file seems to be the only way to get rid of these apps but it will come back on the next Chrome update of course.
Obviously, the point here isn’t really cheating with the popularity ranking of the own web apps (though maybe it is, to some degree). The installed web apps are featured prominently on the new tab page which is likely what this is mostly about. After all, this page is advertising space (the ntp entry in the Preferences file tells me that there was an advertising campaign for Chromebook running on this page until November 8th but I have zero views — somehow I missed it). And another nice side-effect: Gmail automatically gets the notification permission and can display desktop notifications without asking the user for permission. Bad luck for all the other webmail services out there.
Don’t get me wrong: Google Chrome is a great browser and it is easy to get excited about it, argue about benchmarks, brand-new standards and such. But sometimes you get a reminder: this is a Google product and it has to benefit Google. It isn’t merely about making the web better, it is also about promoting Google products and giving them an advantage over competing services. Google may speak out for net neutrality but with their browser the own services get prioritized. Even if it requires violating your privacy.
Comments
It is amusing.
But I would say it is obvious that Chrome is designed with the idea that people are stupid.
{ +block{Phoning home} }
chrome.google.com/webstore
Or just use Chromium I guess.
“One particular feature caught my attention: it marks the extensions that you already have with a check mark.”
Small nit: Apparently this feature was already present in earlier iterations of the web store as the install buttons were greyed put, inactive and had a different text for extensions which you already had installed.
Yes, I’m pretty sure that it isn’t a new feature – but I only noticed it after the redesign.
@LorenzoC:
I would say it is obvious that Chrome is designed with the idea that people are stupid.
Not only that, but it seems to work: look how fast Chrome got a significant market share and how much Firefox apparently feels the need to ape it. (:-Þ)
OTOH, SeaMonkey was developed with intelligent people in mind, or at least people who were not, for instance, so stupid that an abundance of preferences would terrify them. Maybe also for people a little on the conservative side (including Netscape old-timers). In terms of market share, it seems to have been the wrong decision. But is market share the be-all and end-all of open-source browsers? I’m certain that SeaMonkey’s all-volunteer developers had some powerful motivation where market share was far from being the most important factor.
Of course, market share (including most especially a share in the part of the market which is most easily “convinced” by advertising) is important to Google (which brings me back on-topic).
Where would one put the following?
{ +block{Phoning home} }
chrome.google.com/webstore
Nice catch & detective work.
However it’s possible for any site to detect most of the extensions that someone has installed using something like:
http://albinowax.users.sourceforge.net/sbad.html
That’s a bug that could be fixed eventually (and Mozilla actually fixed a similar issue a few years ago). It’s quite different from a privilege escalation that’s supported by the browser vendor. Not to mention that the website is allowed to do more than just detecting installed extensions.
Agreed, I wasn’t suggesting that detecting extensions was comparable with silently installing them. I didn’t get the impression that google regards extension detection as a bug, though it’s clearly less intentional than silentlyInstall().
Firefox has AMO integration (all though not as integrated as this).
I would imagine if the Firefox guys had thought of this, they would have done it as well.
The logic is in the browser however, AMO is merely providing data. For me that’s a very important difference – the browser logic is on my computer, I can go look at it and there is a changelog for each release. It won’t suddenly change because Mozilla is running a campaign. And if it changes then the change will leave traces. AMO has a strict policy that websites are not to be trusted – that policy applies to extensions but it also applies to the browser itself.
I cannot imagine Mozilla leaving a backdoor in the browser to silently install extensions, sorry. Particularly extensions that aren’t even defined yet and could potentially do anything.
Another small nit:
“And another nice side-effect: Gmail automatically gets the notification permission and can display desktop notifications without asking the user for permission. Bad luck for all the other webmail services out there.”
If I am understanding correctly, you can disable the option within Gmail to disable desktop notifications. This should result with no notifications when using Chrome or any other browsers. I have that option set and don’t see any notifications in browsers (Firefox & Chrome) or on my desktop. I log into email and view the inbox to see if I have new mail (by design).
Hope that helps…
I am talking about the browser, and the browser automatically gives Gmail a permission that other websites (like competing mail services) have to ask for. What Gmail does with that permission is absolutely irrelevant here.
Doesn’t this page’s Google search box somewhat undermine the points made? -p
What do you think is the point? “Google is evil, never trust Google and always use other search engines because they are soooo much better”?
Thanks for the infos. I hope you’ll keep an eye on it.
I believe we didn’t see anything yet. The “best” will come later as the Market-Share grows smoothly. My sister has Chrome without even knowing how ( probably from an installer of other popular program )…