4

I am working on allowing a chrome extension to post a new entry to my site via post data.

I want to be able to lock it down so only the chrome extension can post. If I get post data from anywhere else I want to reject it.

Does anyone know if/how this is possible or how you would go about doing it?

mattl
  • 2,082
  • 3
  • 17
  • 24
  • Unfortunately there is no way right now to solve this problem. Please have a look at the answer below and I think you should accept it. – Sachin Jain Mar 24 '15 at 05:09

2 Answers2

2

Unfortunately, validating clients (whether a Chrome extension, an Android app, an iOS app, client-side JavaScript, or some other client) from a web server is an unsolved problem.

There are some things that you can do to deter abuse and mitigate this problem such as:

  • Requiring user authentication (and rate-limiting usage per-user)
  • Rate-limiting access on the basis of IP addresses
  • Requiring tokens to be provided that are handed out in prior requests (this can be used to ensure that certain APIs are called in certain expected orders / patterns).
  • Showing a CAPTCHA or other challenge for anomolous or over-limit usage

While you can additionally check things such as user agent, referrer URL, or a token that you embed in the Chrome extension, with any distributed application, it is easy to reverse-engineer these and mimick them in a counterfeit app, and so these aren't true solutions.

Michael Aaron Safyan
  • 93,612
  • 16
  • 138
  • 200
  • I am wondering if Analytics Solutions also face the same problem. Those calls can be mimicked as well. I am not sure if those solutions solve this problem and bifurcate the fake calls some way. – Sachin Jain Mar 24 '15 at 04:53
  • They do face the same problem. It's rarely a problem if there is no incentive for abuse, but as soon as you get into a situation where, for example, the metrics actually affect revenue then abuse is, in fact, a major issue. Often it is addressed by various machine learning classification techniques to filter out spammy invocations. – Michael Aaron Safyan Mar 24 '15 at 05:04
  • Agreed!! I was just hovering on similar articles from past couple of days. I could not find anything related to "If any of Analytics Solutions implement any technique to filter out spammy calls". It is the customer who has to identify and block the IPs or take other preventive measures. – Sachin Jain Mar 24 '15 at 05:08
0

You can add a simple check in the code.

Following code stops anyone who is trying to access your api outside the chrome extension.

if(substr($_SERVER['HTTP_ORIGIN'],0,19) !== "chrome-extension://") die("Not Allowed")
Adnan Ahmad
  • 848
  • 1
  • 13
  • 12