I'm trying to build an firefox extension that nudges installation of security-enforcing extensions (like https_everywhere). In that process, I'd like my extension to check if it has https_everywhere installed.
Is there a programmable way to find out what extensions a user has installed once they enable my extension on their browser?
You can use management
With the management API you can:
get information about installed add-ons
enable/disable add-ons
uninstall add-ons
-find out which permission warnings are given for particular add-ons or manifests
get notifications of add-ons being installed, uninstalled, enabled, or disabled.
Most of these operations require the "management" API permission. Operations that don't provide access to other add-ons don't require this permission.
Related
I'm currently developing a gmail add-on and am hoping to allow a few users internal to my team to test out the add-on prior to a public release. I was following the documentation here from google that states
You can allow other users to test the add-on by sharing the Apps Script project with their account (read access is required) and then prompting the users to follow the above steps.
I assume that 'read' access is equivalent to 'view' access, and have given a user 'view' access to the project.
The problem I'm running into is that even with 'view' permissions, users aren't able to do a test deployment and install the add-on to their gmail account. The blue 'Deploy' button simply isn't visible. Any ideas on how to get my add-on into a few users hands before publishing, but without giving them edit privileges?
One way to do it is to have the users copy your script and deploy it.
Another is to publish the Add-On privately and you would have control over what version of the Add-On your test users are seeing. For this your users should be of the same Google Workspace domain
My organization just blocked all native mail apps from accessing outlook, forcing us to use the outlook mobile app. They probably did this through conditional access through Azure AD, but I’m not 100% sure. I don’t want to do that, I like the native iOS app better. Are there any workarounds so I can start using the native app again?
There is no workaround to access Outlook with native mail apps if Outlook is blocked by a conditional access policy. That would be a huge security liability if there was a way to change an admin's access controls. As Sunny said, the best thing to do here is to ask the admin to enable this for your account.
What would be the best way to obtain an AAD token from an electron app?
Microsoft has 2 javascript authentication libraries: adal.js and msal.js.
Both are designed for browsers and not native Electron apps (For example - AAD won't allow for file:/// scheme as a reply URL).
Sounds like a long term solution would be native AAD packages (like Microsoft built for Apache Cordova), but since that's probably not going to happen any time soon, what is the best short-term option?
Azure Storage Explorer is a good example of an Electron app that does this. It even allows for being logged into multiple AAD accounts at the same time.
You might be able to check out what's going on in the app's dev tools. I've had a poke around and it looks like it uses adal-node npm package instead of the browser based js libraries.
It also looks like it uses an authorization code flow for obtaining tokens.
The Azure AD doesn't support the file protocol as the reply address. To develop the single page application, you can host it on the server and using the server URL as the reply address.
Recently Apache Cordova announced that iOS contains 2 methods to bypass the URL access restrictions provided by the whitelist. An attacker can use any of the 2 methods to load malicious resources in an app that uses a whitelist to only load trusted resources.
As i am new to Cordova, can anyone please provide information how much the above issue will impact the existing application and how.I am using Cordova ios version 3.5.0.
Like it says in the link, this problem allows to inject malicious code into your app, as this involve plugins invocations. This can be used to retrieve all the information that you can extract from your app.
This only can be performed through external links, you if you dont have links to external websites, or paths that you are not controlling, you are protected.
Also, I don't know about the extension of this backdoor, and maybe few people know it, but if you want to be sure, just update to the latest version of cordova-ios.
I'm using the iOS FBSDK in my app that allows Facebook as a means of logging in. My app will require that the user disclose their age and I would like to use Facebook's login flow to enforce this requirement. However, I'm having trouble setting anything as required (except for public profile, which is required by default). I would like to avoid having to tell the user that they can't use the app until they go into their account settings and turn it on. It's a disruptive user experience and the app truly needs certain permissions to function.
I set the login button's read permissions like this:
self.loginButton.readPermissions = #[#"public_profile", #"email", #"user_photos", #"user_birthday"];
and see this:
Is it all possible to do this? When I look at apps tied to my own Facebook account, I see some (Tinder, Glassdoor, and more) that have required permissions so I assume there must be a way to do it.
It is not possible to mark specific permissions as required when using the Facebook OAuth dialog.
The difference in behavior you are seeing is most likely due to when you installed the apps, and what version of Graph API those apps were using. Graph API 1.0 did not provide the ability for people to revoke specific read permissions, and (I am guessing) when you installed those apps, they were targeting 1.0. With apps that are targeting Graph API 2.0 and higher, people have the ability to revoke specific permissions (except for public_profile), and apps need to be prepared to handle missing permissions.
The settings dialog you see reflects the version of Graph API that was used to install that particular app. Any Facebook App IDs created after April 2014 automatically target the current version (2.x) of Graph API in effect at the time they were created, and pre-existing apps were migrated to 2.x earlier this year. So, going forward, people will always be able to decline permissions other than public_profile when installing an app, but for apps already installed, their settings reflect the version that was in effect when they installed the app.