15

Since the version 35 of Google Chrome, the execution of any extension installed outside of the Google's PlayStore is blocked and cannot be enabled from the extensions menu.

The auto-installation of non-store scripts was removed two years ago but downloading the script and performing a drag & drop on the extensions menu still allowed the installation, so it was still possible to create and share scripts for Google's Chrome. But now everything is locked.

  • Is it possible to manually add permissions to your independant scripts ?
  • Is it possible to white-list a personnal website ?
  • Is there any other solution ?

I know that this restriction does not apply for dev and canary release channels but the scripts are purposed to be used by users with enough knowledge to know what they do, without forcing them to change their browser. The native support support is rather interresting on Chrome (even if completly locked now), so a solution without a third party plugin (ie : Tampermonkey) is better.

Thank you

Demurgos
  • 1,568
  • 18
  • 40
  • Oh thanks for the notification, looks like I need to start using the canary channel after all. The change probably is for the best, even though it personally hits me pretty hard as it just makes it harder to get people to test my in development extensions (which already isn't easy) – Winchestro Jun 07 '14 at 07:54
  • May I ask, what is the reason for not converting them to full Chrome extensions and publishing? – Xan Jun 07 '14 at 08:41
  • 1
    @Xan registering a developer account is a hassle. I know it's better than appstore and it's super annoying for reasons, it's still a huge burden. Paying 10$ just so you can distribute your extension for free without any monetization also is kinda sad. Forcing credit card payment and not accepting any other currency (not even their own) is even worse. Also you may not want to publish it, because it's still in development but you want to get some feedback while polishing, especially if you are a new developer. I could go on for hours :) – Winchestro Jun 07 '14 at 09:49
  • 2
    I agree on the $10 thing; I was grandfathered in when they established the policy, they have valid reasons for it, but still it's a hassle. As for development version, there are several publishing options available besides "public". Still, it makes TamperMonkey the best route - it's not much extra hassle for the user. – Xan Jun 07 '14 at 09:53
  • @Xan : My reasons are that : the current script I'm developing depends on accounts and is automaticly generated by the server with keys and other security features. Most of my other scripts are for private usage (intended for developer friends) and I don't see the point to pay, even 10$, if I just want to let them test it without a lot hassle. My last argument is that I already have my own server hosting my scripts and managing updates and notifications, I don't want Google to take power over all of it : event it's good for massive distribution, I prefer to keep control over what I create. – Demurgos Jun 07 '14 at 11:18
  • @Demurgos Too late; this is exactly what Google did, seized control over distribution for the widest segment of their market. – Xan Jun 07 '14 at 11:21
  • 2
    I know, but with this new version they went from "Come on, it's easier & safer to use our store" to "Come on, you have no choice" so that's why I'm asking better developers if there's still a workaround. – Demurgos Jun 07 '14 at 11:26
  • 2
    The $10 is but the tip of the iceberg. By forcing credit-card payment, they get hard data leading towards your: name, address, phone number, credit score, etc. -- which they can then use for all kinds of tracking and marketing purposes. Companies pay billions for this kind of focused, market data. Google makes you pay them. – Brock Adams Jun 11 '14 at 22:32

4 Answers4

13

The only way there seems to be left, short of installing an extension like Tampermonkey or getting a different browser, is starting the Chrome browser with the --enable-easy-off-store-extension-install flag.

Edit: Unfortunately, Google removed this flag from Chromium in April.

However, if the user (or any program) starts Chrome without this flag even once, the scripts will be disabled automatically. You can't re-enable them, even with the correct flag; your only option is to uninstall them and re-install then in the easy off-store extension install mode.

So, your options are:

  1. Start Chrome with the --enable-easy-off-store-extension-install flag every time. If you have pinned Chrome to the task bar in Windows 7, the way to change the command line arguments for this shortcut is described here.
    If you have set Chrome as the default protocol handler for the HTTP and HTTPS protocols (which is the case if you made Chrome your default browser), you can modify the registry so this flag is set every time a program tries to open an HTTP or HTTPS URL with the default program.
    Also make sure you set this argument for file extensions Chrome is configured to open, such as .xht, .htm and .xhtml. You can do this with the following .reg file:

    Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\ChromeHTML\shell\open\command]
@="\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" --allow-easy-off-store-extension-install -- \"%1\""


    Make sure the path to Chrome is correct when you install this.

  2. Install an extension such as Tampermonkey to manage your user scripts.
  3. Install a different browser, either developer builds of Chrome or a completely different browser, such as Opera (which has native support for user scripts) or Firefox (with Scriptish).
  4. Blocking Chrome updates before you receive version 35 and risk getting hacked.
  5. Switching to a different operating system, as extensions are only blocked on Windows.
  6. If your computer is part of a Windows domain, you can install extensions using Group Policy.
  7. Turn your user scripts into bookmarklets.

I realize this is probably not what you want to hear, but as Google continues to restrict honest developers because of a few bad players there are no better options.

Edit: there is one more approach that I've found to be working, namely hijacking an installed extension with the correct permissions:

  1. Find and install an extension that has permission to run a content script at the web page you want it to run at. For example, the Note Anywhere extension has permission to inject a user script when a document has loaded for any HTTP or HTTPS URI.
  2. Go to the extensions page to find the ID of the extension.
  3. Open the folder where Chrome stores the extensions. On Windows, this is %localappdata%\Google\Chrome\User Data\Default\Extensions.
  4. In manifest.json, find the name and location of the injected script. Overwrite the contents of this file with your user script. (In the case of the extension chosen as an example, this is asset/stickies.js.
  5. Remove any content of the extension not referenced in manifest.json. Replace any referenced scripts and HTML pages that you aren't using with emtpy files.
    For the extension mentioned above, I'd remove anything except for the icons, the content script, asset/stickies.css and background.html and replace the latter two with an empty file.
  6. Go to the Chrome extensions page and disable and then re-enable the extension.
  7. Make a back-up of your work in case the extension is updated.
  8. Make a note somewhere that the extension in the extensions list has its contents replaced with your user script.
user2428118
  • 7,935
  • 4
  • 45
  • 72
  • The flag solution solves the problem so long as you open Chrome with this this flag. It works fine, even if you close & reopen it (with flag), no need to to enable manually after each start. BUT if you forget one and only one time to run it with the flag, the userscript is marked as "non-webstore" and even reopening with the flag do not solve the problem (deletion & reinstallation of the script is required). The problem is that the default browser might be triggered without the flag by the system or other applications so you do not really control it. – Demurgos Jun 11 '14 at 11:41
  • 1
    Great overview of the options. – Xan Jun 11 '14 at 11:44
  • The second solution is the one I will use as stated in my own answer because the others are too "intrusive" for the users. But since your solution is really complete I will upvote it. (Can you just edit your answer with my test about the flags ?) – Demurgos Jun 11 '14 at 11:45
  • @Demurgos I've updated my answer with the information from your comment. And yes, I was aware that you mentioned Tampermonkey already, but I included it for completeness. – user2428118 Jun 11 '14 at 12:01
  • Thanks, I'll leave some time if someone wants to post an other answer, then I'll award you the bounty (though I'm still confused if I can mark this question as resolved :s) – Demurgos Jun 11 '14 at 12:02
  • 1
    @user2428118 The "easy-off-store-extension" flag was removed a while back from Chromium, please edit your answer to reflect this. – Rob W Jun 14 '14 at 13:43
13

EDIT : I validate this solution because it's what helped me particularly on this problem. A much richer answer is the list of workarounds submited by user2428118. Even if they did not solved my specific problem, they should be considered.

I finally could find an answer to my question thanks to the link posted by yoz, and the fact is that you can still enable a script unrelated to the PlayStore, without any third party plug-in, but as you'll see : it might be better to use TamperMonkey (even if it might imply little adaptations, it's 200% easier).

The solution is to import the unpacked user-script in developer mode.

Step By Step Explanation

  1. Create your user script myscript.user.js as usually

  2. Include it in a directory and create a file named manifest.json. You'll get this structure (can be zipped for distribution) :

    myscript/

    • manifest.json
    • myscript.user.js

  3. The manifest.json is a file required to import your script as a Chrome extension in developer. It describes your user script. Here is the related documentation, but the minimal code for our purpose is :

     {
     "manifest_version":2,
     "version":"1.0",
     "name": "MyScript",
     "content_scripts": [
         {
             "js": ["myscript.user.js"],
             "matches": ["http://domain.com/"]
         }
     ]
 }

  4. Now that you have your directory with your user script and manifest.json, you can import it as an unpacked extension (a packed one will be disabled after Chrome's restart). To achieve this, simply check the "developer mode" and choose "Load Unpacked Extension...". Navigate to the directory created at step 2 and select it : that's "all".

Load Unpacked Extension

Pros

  • Native solution
  • Natural for you if your developing your script on Chrome (obviously this wasn't my case :P)
  • Your script is now treated like a "real" extension.

Cons

  • Oh, god... I'm missing the one-click install : even if the user only has to achieve the step 4 it's still a pain.
  • Looks less "professional" because the user has to enable the developer mode
  • No longer "cross-browser" distribution since the Google Chrome's script has to be packed in a special way
  • The original directory cannot be (re)moved without breaking the script
  • A warning will be triggered every single time Chrome is opened to ask if you are sure that you want to use developer mode

Conclusion

I liked the way user-scripts had native support on Chrome : every third party plugin has some small variations (ie : datas or xhr handling). But the cons are to numerous and to important (especially the two last ones)... Even if enabling a non-PlayStore script is possible in a native way, it became such a pain that I recommend to adapt the script for a plugin such as TamperMonkey. After all, Chrome was an exception since every other browser require a plugin, now these plugins are the only way.

I still feel a bit disappointed, so if anyone happens to find a better solution (still hoping for some white-lists) I would enjoy to offer some bounty.

EDIT : Please note that user2428118 provided a list of other interesting workarounds. Even if they did not solved my specifif problem, they should be considered.

EDIT : manifest fixed

Community
  • 1
  • 1
Demurgos
  • 1,568
  • 18
  • 40
  • Great! I was really annoyed by the change; this seems the best fix to me. I don't want to use an unstable browser for all my browsing just to convert some text to hyperlinks! – Danny Tuppeny Jun 16 '14 at 10:51
5

The continuation of solution number 1 from @user2428118 answer.

To ensure that you ALWAYS starts Chrome with --enable-easy-off-store-extension-install flag you, can use (additional to editing all shortcuts in menu start etc.) this registry file:

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\http\shell\open\command]
@="\"C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\" --enable-easy-off-store-extension-install -- \"%1\""

[HKEY_CLASSES_ROOT\https\shell\open\command]
@="\"C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\" --enable-easy-off-store-extension-install -- \"%1\""

Replace C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe with actual path to chrome.exe in your system.

Community
  • 1
  • 1
user11153
  • 8,536
  • 5
  • 47
  • 50
  • Thank you, it solves the problem with Chrome opened by other softwares. I won't try it because it's too intrusive but it's worth being mentioned. =) – Demurgos Jun 12 '14 at 17:29
  • **I plan to upvote you, don't worry**, but for now I didn't done it because I'm still not sure how to preserve readability of the topic. This should follow the user2428118's answer but on its one it is not a complete top solution so I don't want to do a mistake. I think that the best would be to edit the other answer to add your answer and a link to the original comment but I did not wanted to do it without asking you (this is why the "thank you" : to get your attention and help me a bit :/). – Demurgos Jun 12 '14 at 19:28
  • @Demurgos *"I think that the best would be to edit the other answer to add your answer and a link to the original comment"* - I have done something like this multiple times in past and ALWAYS my edits have been rejected. So I started always post my own answers. – user11153 Jun 12 '14 at 19:43
  • 1
    Ok, apparently it was edited on the other message. I give you an upvote ;) – Demurgos Jun 13 '14 at 19:50
3

Unfortunately, aside from extensions like Tampermonkey, there don't seem to be good workarounds, given the way your script is generated differently for each user.

This is the best explanation I've found:

http://www.chromium.org/developers/extensions-deployment-faq

yoz
  • 902
  • 8
  • 20