0

Is there any possible way to track a Chrome extension's outgoing network communication from a website?

Let's assume, that a Chrome 'content script' extension sends AJAX queries to a server on a specified IP to create custom analytics. This extension works in the browser while the user browses through various websites.

Is there any possibility for these websites to track what the extension does ( that it opens AJAX ) or where it sends data to? ( To which IP it was trying to send AJAX query )

UPDATE

To be clear, I am curious about an independent third-party website's tracking abilities, not the extension-user's.

UPDATE

More clarification: the extension is sending request to a server not related to the servers/websites the user is browsing.

EXAMPLE

User is browsing Youtube, and Facebook daily. This extension sends AJAX queries to a storage server where the user's visited URL-s are stored. ( Youtube and Facebook ). What I would like to know is, does f.e. Facebook know, that this extension does this, and what's the IP of the storage server?

Improve this question
3
  • Send those requests in your extension's background page. Commented Jul 21, 2016 at 9:08
  • 1
    I think if content_scripts does not have access to variables or functions defined by web pages then converse assertion too true. That is web page can't track request from content_scripts. Execution environment Commented Jul 21, 2016 at 9:38
  • @wOxxOm What is the practical advantage? Commented Jul 21, 2016 at 14:21

2 Answers 2

Reset to default
2

Basically, no, because of the concept of isolated world. Emphasis mine:

Content scripts execute in a special environment called an isolated world. They have access to the DOM of the page they are injected into, but not to any JavaScript variables or functions created by the page. It looks to each content script as if there is no other JavaScript executing on the page it is running on. The same is true in reverse: JavaScript running on the page cannot call any functions or access any variables defined by content scripts.

So if you were thinking of doing something like overriding XMLHttpRequest, this would not work, as a content script has a "safe harbour" you can't touch.

And that's even before the possibility to delegate network operations to the background script, which is a completely different origin.

There is an exception to this: an extension can sometimes inject code directly into the page context. Then it coexists with the website JavaScript and in theory one can spy on another. In practice, however, an extension can execute its code before any of the website's code has a chance to react, and therefore stealth / shield itself from interference.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

Maybe this is overkill but you can try to sniff your own traffic using Wireshark (or any other program) and have a look at the requests. If they are using https then things will be harder and you will have to decrypt the traffic.

Improve this answer

3 Comments

Thanks Pablo, but if I understand it right, Wireshark and similar stuff need to be installed on the client's computer ( the one that uses the extension ) and not on the visited website's owner. I will now make an update on my question to make sure I am clear about that I am curious about an independent website's tracking abilities, not mine as the user of the extension.
Yes, I understood it the wrong way. I think they can track the origin of the request. For example, imagine that you are retrieving a JSON from api/getUser.php?id=1 They will be able to check $_SERVER: [$_SERVER PHP](php.net/manual/en/reserved.variables.server.php)
Yeah, that is right. I need to clarify it a bit more. The extension sends requests to another server not related to the server on which the extension-user is browsing. ( Using cross domain JSONP reuqest ) I will append this clarification to my question soon.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.