chrome.serial unsupported in Chrome Extensions
Reported by
schrockw...@gmail.com,
Oct 10 2016
|
||||
Issue descriptionUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36 Steps to reproduce the problem: 1. Create a new chrome extension with the "serial" permission. What is the expected behavior? Chrome extensions should be able to access the chrome.serial API. What went wrong? chrome.serial is unavailable Did this work before? No Chrome version: 53.0.2785.143 Channel: stable OS Version: OS X 10.12.0 Flash Version: Shockwave Flash 23.0 r0 With Chrome Apps being phased out on the desktop OS, the chrome.serial API will no longer be accessible to any desktop Chrome extension. It would be very useful to support extensions that can communicate with serial devices. Combined with messaging, this could open up a lot of opportunities for extensions that act as brokers between serial components and web applications.
,
Oct 12 2016
,
Mar 19 2017
Did this work before? No Actually yes, this did work before. The accepted answer to this SO question (http://stackoverflow.com/questions/14154123/google-chrome-extension-serial-port-on-website) is correct that an extension cannot access chrome.serial directly but that you can currently have your extension communicate with a "headless" app (no UI - externally connectable) to access it. But if your extension doesn't need to do anything reserved exclusively for extensions and not available to apps (e.g adding to Chrome's UI or content scripts) you can currently have the browser communicate directly with the "headless" app to communicate over serial. There isn't much difference when installing such a Chrome app vs. an extension as you get the same large "Add to Chrome+" button. The only subtle difference is the little button on the confirmation popup says "Add App" instead of "Add Extension", but in the end it even shows up in chrome://extensions/ so I don't think the user sees such an app as something different from an extension with the important part being that they understand what permissions they are giving to such an app/extension. The added bonus is you get an icon in the chrome://apps/ too which you can use for an extension "about" page or whatever. We published such an app to the Chrome Webstore before the announcement to discontinue apps on PCs and I think the mechanism we had to use enable this, sheds some light on some of the security implications and how this may continue to be enabled. Below are a few lines from the app's manifest. "externally_connectable": { "matches": ["*://*our.site/*"] }, "permissions":[ "serial" ] First, we make our app externally connectable from our site, and then we enable serial. These lines are important because I believe it ensures that the only way our app will activate and stay active to do anything including accessing serial (all it really does) without the app's UI itself being open (and again our app is like an extension and doesn't have it's own UI window) is if our site asks it to. If our app was externally connectable from anywhere then any site could ask our app to do stuff over serial. We'll assume that's bad. But what if the serial permission was simply enabled for extensions without any additional restrictions? Then any extension with serial permissions could be doing stuff over serial all the time even when the user is interacting with unrelated pages and webapps or even doing nothing at all. Let's agree that's also bad but for a bunch of different reasons. So, I think it would be naive to enable serial (and USB) for all extensions and I cringe at all the things that can go wrong even when you restrict external access to certain pages. But in absence of a better solution I believe we should be able to do what we can do today: enable serial and externally connectable in extensions where no extension only (non-app) features are needed. In summary give us a new flag: "headless_app_extension" or "externally_connectable_app_extension" When we set it, we're saying we are using app features including serial and externally connectable just like we can do today but will not have a UI and not use extension only (non-app) features like content scripts. Killing Chrome apps is about killing a second way to get a UI to end users and about bringing more of the formerly exotic APIs to the browser itself. Moving backwards on this does not lead to those ends. Also it is important to note that while this bug was filed under chrome.serial, any other app-only (non-extension) API including chrome.usb was previously available as a virtual extension with externally connectable. Best, Ed
,
Mar 19 2017
"These lines are important because I believe it ensures that the only way our app will activate and stay active to do anything including accessing serial (all it really does) without the app's UI itself being open (and again our app is like an extension and doesn't have it's own UI window)" Not true. Externally connectable apps do not have restrictions on operating without the site. "If our app was externally connectable from anywhere then any site could ask our app to do stuff over serial." Global externally connectable is not allowed. "But what if the serial permission was simply enabled for extensions without any additional restrictions? Then any extension with serial permissions could be doing stuff over serial all the time even when the user is interacting with unrelated pages and webapps or even doing nothing at all." Apps can already do that. "When we set it, we're saying we are using app features including serial and externally connectable just like we can do today but will not have a UI and not use extension only (non-app) features like content scripts." Then it would have the same capabilities as a current app. Also, external messaging is already an extension feature. All that said, it seems very unlikely that app hardware apis will be enabled for extensions. If Google wanted to do so, they would not have deprecated the apps platform.
,
Mar 20 2017
""These lines are important because I believe it ensures that the only way our app will activate and stay active to do anything including accessing serial (all it really does) without the app's UI itself being open (and again our app is like an extension and doesn't have it's own UI window)" Not true. Externally connectable apps do not have restrictions on operating without the site." I believe the first part is true. After restarting Chrome, you have to either click the app to launch it or go to a whitelisted site that can externally connect or your app code will not run (please correct me if I'm wrong). Chrome makes a big deal about user interaction initiating potentially dangerous actions and puts great trust in actions that were user initiated (through say a click) even if they happen only once in the whole app's (well its cache's) lifetime. I believe this is the subtle difference in what we are able to do today and what the original bug submitter proposed as current extensions can run after chrome restart without user interaction where the solution I highlighted cannot. ""If our app was externally connectable from anywhere then any site could ask our app to do stuff over serial." Global externally connectable is not allowed." Yes I know. I am saying that's a good thing. ""But what if the serial permission was simply enabled for extensions without any additional restrictions? Then any extension with serial permissions could be doing stuff over serial all the time even when the user is interacting with unrelated pages and webapps or even doing nothing at all." Apps can already do that." Again but you have to run the thing at least once or a whitelisted site has to externally connect to it (if this is not the case please correct me). And apps cannot have content scripts which open up unlimited sites that can introduce malicious content that affects serial port access. ""When we set it, we're saying we are using app features including serial and externally connectable just like we can do today but will not have a UI and not use extension only (non-app) features like content scripts." Then it would have the same capabilities as a current app. Also, external messaging is already an extension feature." No you would not have the app UI which is what they are killing. "All that said, it seems very unlikely that app hardware apis will be enabled for extensions. If Google wanted to do so, they would not have deprecated the apps platform." These are two mostly unrelated issues. But actually Google's stated reason for deprecating the apps platform on desktop is in line with enabling these hardware API's for extensions first and then moving them to standards with per site or possibly per session controls similar to webcam and microphone access. From the announcement: "On Windows, Mac, and Linux, we encourage developers to migrate their Chrome apps to the web. Developers who can’t fully move their apps to the web can help us prioritize new APIs to fill the gaps left by Chrome apps. In the short term, they can also consider using a Chrome extension" -Ed
,
Mar 20 2017
I'd like to hear from someone at Google about this. Nothing about the Chrome apps announcement or anything else I've seen indicates that anyone within Google has raised any security-based or philosophical issues with the way things are now and how they have been since before that Stack Overflow answer from 4 years ago with respect to the ability to access chrome.serial through externally connectable. The apps announcement is sane. Developers should build web apps if they want a web app and rely on extensions to fill in the gaps or they can package their apps with Electron et al if they want the feel or additional features of desktop app. All sane. If you got accustomed to the weird second class citizen desktop app experience that were Chrome apps on desktop, I'm sorry you bought into that. Chrome apps are first class citizens (with Android apps immigrating in big numbers) on Chromebooks so don't feel so bad for them. What we're talking about here are webapps that have been able to use Serial/USB APIs and are in for big setback all in the name of progress for webapps. I don't think this is Google's intent and unless this affects you, or you can do something about it, please save your feedback. To reiterate, my points are: 1) Webapps are losing capabilities based on a plan meant to invest more in them 2) Current capability to access serial APIs indirectly through externally connectable have existed for years with no reports of security concerns 3) If serial and usb apis were allowed indirectly but not made available to extensions directly I would assume that the security issues that prevented them are related to combining them with other extension only APIs or features like content scripts. Or that the indirection through messaging APIs acts to increase security (similar models are used in OSX's sandboxing.) 4) If so I believe a simple way forward is to enable "headless app" extensions with all the current capabilities through externally connectable but without enabling extensions to directly access serial/USB.
,
Jun 7 2017
,
Jun 7 2017
,
Aug 10 2017
Issue 745573 has been merged into this issue.
,
Oct 27 2017
I wonder if anyone from Google can give us a defnitive clear answer: Is the Serial api going to be enabled in extensions in any way? Right now I just confused if it will or not...
,
Oct 29
Issue has not been modified or commented on in the last 365 days, please re-open or file a new bug if this is still an issue. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||
►
Sign in to add a comment |
||||
Comment 1 by alph@chromium.org
, Oct 10 2016