Download Extensions from the Google webstore for offline inspection and install

We all know that Google does not get its act together and often times failed to detect, when Extensions contained malicious code – and that the culprits have become are very creative in evading the inspection bots.

As happened multiple times in the past, extensions changed their owner and a short time after that started to contain malicious code. Because Google “prevents” downloading of extensions for inspection without installing them first, we must convince them, that it is a legitimate download. In the past there were websites like “Chrome Extensions downloader”, which provided a convenient was to download them, but since Google changed the usual address scheme, those sited broke – but no worry, It is still possible by using a simple bookmarklet.

  • Create a new bookmark in Vivaldis Bookmark
  • Give it a recognizable name, e.g. “Download Chrome Extension”
  • Add a shortcut like e.g. crx
  • Copy the following as address:
    javascript:location.href='https://clients2.google.com/service/update2/crx?response=redirect&acceptformat=crx2,crx3&prodversion=%27+(navigator.appVersion.match(/Chrome%5C/(%5CS+)/)%5B1%5D)+%27&x=id%%27+%273D%27+(document.querySelector(%27a%5Bhref%5E=%22https://chrome.google.com/webstore/report/%22%5D%27).pathname.match(/%5B%5E%5C/%5D+%5C/*$/)%5B0%5D)+%27%%27+%2726installsource%%27+%273Dondemand%%27+%2726uc%27;
  • Click in the bookmarks address field and arrow to the start of the address and, if missing, add javascript: (without quotes) in front of the address.

After all that is done and checked, you can visit the Google Webstore, search for an extension you want to inspect before install, and type “crx” in the address bar, hit “save as” and rename extension_[version number].crx to something sensible.

If successful, you can unpack the Extension with e.g. 7zip and open the files with a Editor of your choice.

Happy inspecting!

Pregnant With Passive Heater

full size image (opens in new tab)

The translation tool Lingvanex, which is the one Vivaldi uses and hosts on its own servers in Iceland, translated this:

That’s a good idea. Starring themes would allow for the creation of personal collections for sync and backup purposes. Then all that would be needed is an additional »Install All« or »Install Missing« button.

… to that:

Das ist eine gute Idee. Darstellerthemen würden die Erstellung persönlicher Sammlungen für Synchronisierungs- und Sicherungszwecke ermöglichen. Dann wäre nur noch eine zusätzliche Schaltfläche »Alle installieren« oder »Fehlern installieren« erforderlich.

Correct back translation of the German text:

This is a good idea. Viewer themes would allow the creation of personal collections for synchronization and backup purposes. Then only an additional “Install All” or “Install Errors” button would be needed.

Even Google translate is better than that:

Das ist eine gute Idee. Star-Themen würden die Erstellung persönlicher Sammlungen für Synchronisierungs- und Sicherungszwecke ermöglichen. Dann wäre nur noch ein zusätzlicher »Install All«- oder »Install Missing«-Button erforderlich.

The champion, as always, is DeepL:

Das ist eine gute Idee. Themen mit Sternchen zu versehen, würde die Erstellung persönlicher Sammlungen für Synchronisierungs- und Sicherungszwecke ermöglichen. Dann bräuchte man nur noch eine zusätzliche Schaltfläche “Alle installieren” oder “Fehlende installieren”.

which translates back almost perfectly to:

This is a good idea. Starring themes would allow the creation of personal collections for synchronization and backup purposes. Then all that would be needed is an additional “Install All” or “Install Missing” button.

It even gets worse, if you translate from French to German or English, and it becomes completely garbage when trying to translate more technical texts, like the one in the hero image:
“Schwanger mit passivem Heizkörper” (English: “Pregnant with passive heater”)
WTF?! Much luck to make sense of that!

Conclusion

It is not even able to translate simple texts from the forums and completely unusable for anything that contains subject-specific words.

Liquify aka IWarp arrived in Harmony

136 lines of additional vanilla JS code, plus some more lines for new UI elements and I have added my 32nd brush to Harmony, the procedural painting tool:

Say hello to Liquify (PS), IWarp (GIMP) or however it is called in other full blown image manipulation applications!
I probably need another name to avoid trademark infringement (Is that a felony?)

I still have to tweak some parameters and clean up my messy code a bit ( 😉 ) but it is looking good so far.

PS: Did I say that it supports alpha transparency too?

Adding Search Engines to the Vivaldi Browser (followup)

Some search engines can’t be added to Vivaldi by right-click in the search field > “Add as Seach Engine …”, but only manually. The following describes a possible method to add some of those.

If searches do not use a regular search field in the code but a custom one, they cannot be be auto-detected.

How to add such Search engines anyway?

  • Enter e.g. “test” in the search field for a site and press return
  • On the result page: Look if the word “test” is in the address bar
  • If yes: Copy the whole address.
  • If not: Maybe the search engine uses POST and you must use a different method like: How to add search engines that use POST to Vivaldi
  • Open Settings > Search > Search Engines
  • Click at the “+” in the left column to add a new search engine
  • Give it a name e.g “my search engine” and a shortcut e.g. “mine”
  • Paste the URL in the URL field
  • In the URL field, replace “test” with “%s

If you then type “mine some search terms other than test” in the URL field of the address bar and if it works:

Congratulation! You have successfully added the search engine.

If it does not work and the linked article for adding POST searches did not work too, then you might be out of luck and the search engine uses JSON API calls, which is a beast of its own and needs case by case analysis of the web page code, if it is possible at all.

Warning:

  • Those custom search fields were never meant to be added as search and they might break as soon as the site changes its code.
  • The general method described above might not work for other sites, so please test if it works for you and if not, remove the search again by pressing on the “-” in the left column of the search engine editor.

Discarding Problems in Vivaldi

While testing a new Vivaldi function (which is not yet in the public builds at the time of writing), I have found a serious bug (not a real bug, but more of a serious annoyance) in connection with my Auto Discard extension:

The extension cannot recognize if tabs are tiled, i.e. 2 tabs are visible at the same time.
This is a pure Vivaldi problem because other browsers cannot tile tabs.

Example:
If I have entered something in e.g. a text field of Tab1 and set Tab2 to active, because I need to e.g. scroll Tab2 to look something up, and the extension hits while I am in Tab2, it discards the not focused Tab1.

Tab1 will be immediately reloaded (probably a Vivaldi hack to make tiling possible at all) but I lose all contents I have entered, because obviously the browser doesn’t store the full state the site is in including the entered text (which is a long standing and highly annoying chromium behavior)

There are 3 tab states:

  • active
  • passive
  • disabled

According to the tabs API I only can access active:[boolean].
(see chrome.tabs API description )

Ideally the API would return all 3 states, but that is not feasible because it would break every other extension that makes use of the activity status and expects true or false.

For me it would be fully sufficient if I could check the visibility status of the tab instead (as it is shown in vivaldi://discards ) and only hibernate hidden tabs, because the inactive tab has the status visible loaded passive, in opposition to hidden loaded hidden of normal tabs or visible loaded active of regular active tabs.

Using the Page Visibility API is no solution because
document !== tab
I know that I can see it for the document, but I can’t use it because I don’t want to inject stuff and message back to the extension.

is possible with a content script, but messaging from the background script to the content script and back again inside of chrome.tabs.query seems to be incredibly clumsy in my eyes.
Problem: AFAICS the content script acts only on the active tab …

edit:
partially solved by adding

if (tab.extData){
    let temp = JSON.parse(tab.extData);
    if ('tiling' in temp ) {
        return;		
    }
}

which excludes all tiled tabs from hibernation.
/edit


Please let me know in the comments, if you know a better way how this Vivaldi problem can be mitigated or circumvented.

Better Tab Stacking

Vivaldi’s tab stacks are a fiddly thing if you don’t use the window panel.

Disadvantages of the existing tab stacking solution:

  • If you have a large tab stack of maybe 60+ tabs, the tab previews can block the whole UI.
    Tab stack blocking the whole UI(VB-17414)
  • Especially in windowed mode (restored node, i.e. not maximized) the tiny indicators / drag handles violate Fitts’s law and are a PITA to grab.
    I challenge you to drag a tab out of a stack like the following on a touch screen!
    Tab stacking handles violating Fitts's law
  • The artificial delay makes stacking quite unpredictable if your tabs are already small (which is one of the reason why one might start stacking tabs in the first place).

I could go on, but these are the main problems.

A better solution

Sadly tab stacks did not get much attention lately, despite better solutions exist, like shown in the following screen recording.

Tab stacking with accordion

This is probably not the only solution, but almost anything is better than the the situation as it is now.

Benefits of an “accordion” solution:

  • The drop zones are starting at 20% from both sides, i.e. 20% non-drop, 60% drop into a stack, 20% move tabs to make space for dropping. This goes for both directions.
  • There is no artificial delay needed to avoid or enable dropping.
  • It is easy to stack tabs.
  • It is easy to add more tabs and position them in the tab stack(s) without having to open the window panel.
  • It is easy to drag a tab out of the stack again.
  • It is easy to delete a single tab from the stack without activating it first.
  • It is easy to drag a tab from one stack to another.
  • Stacks can be “opened” and expand to the full available width
  • Multiple stacks can be kept open at once.

I wonder how long we have to wait, until we get a better solution.

edit 2020-11-13:
It looks like Chromium got it before Vivaldi. It can be activated via:
chrome://flags/#tab-groups
Additionally the tab bar is scrollable if you activate:
chrome://flags/#scrollable-tabstrip
Both functions work flawless in Chromium 88 and have added some nice touches to show which tabs belong to which group (colors!)
It works in the latest Edge too, but (as of today) Edge cannot collapse the groups.

First American exposed 885 MILLION full datasets. Translation of their statement to plain English

After exposing 885 MILLION full datasets title insurance records, including bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers license images, which covers the last 16(!) years, the estate title insurance giant First American Financial Corp issued this statement:

“First American has learned of a design defect in an application that made possible unauthorized access to customer data.”
Translation: We have used a cobbled together web page which had no security audit in any way (because if we had, this would have been checked in the first place, because breaches exactly of this kind are the most common in “the industry” and happened multiple times before on other big sites. If you were logged in to their website, you needed only to manipulate the sequential number in the address bar to get access to any other account. Of course nobody expects to change one number in a 9 digit sequential number to see if there is another record. We are totally surprised! Such things were previously unheard of … NOT!
“At First American, security, privacy and confidentiality are of the highest priority and we are committed to protecting our customers’ information.”
Translation: Now that we’ve got caught with it, we try some damage control. (Damage control for the company, because the damage for the users and and for the customers of the users already happened in the past)
“The company took immediate action to address the situation and shut down external access to the application.”
Translation: We did not yet fix it, but now that we’ve got caught, we took it offline (which we wouldn’t have needed if we had a full security audit of the public facing side of our site in the first place).
“We are currently evaluating what effect, if any, this had on the security of customer information. We will have no further comment until our internal review is completed.”
Translation: We are frantically searching for someone else we can blame – preferably an outsider. Of course we know that all of the data was unencrypted facing the web and evaluate how we can get out of it, because if enough people sue us we might see a billion dollar fine. Other than that: No Comment until it’s all water under the bridge.

Other translations of other breaches would be welcome.

Edit 2019-06-03: Meanwhile New York regulators are investigating the a weakness as the first test of the state’s strict new cybersecurity regulation. That regulation, which went into effect in March 2019 and is considered among the toughest in the USA, requires financial companies to regularly audit and report on how they protect sensitive data, and provides for fines in cases where violations were reckless or willful.

Let’s hope they use it to send a strong signal and give them a decent rap on their knuckles.

Edit 2019-07-02: It seems that, according to Bloomberg, a Class Action Lawsuit was filed. That can become expensive …

Edit 2020-06-18: New York State Department of Financial Services (DFS) found, the vulnerability was discovered in a penetration test First American conducted on its own in December 2018 and they did not fix it or shut it down before it went public in May 2019. The DFS was not amused:

Respondent’s mishandling of its own customers’ data was compounded by its willful failure to remediate the Vulnerability, even after it was discovered by a penetration test in December 2018.

Source: https://www.dfs.ny.gov/system/files/documents/2020/07/ea20200721_first_american_notice_charges.pdf (Page 2 at the bottom)

Edit 2021-02-14:

Penalty total since 2000: $14,145,524

… now we know what a full data set of an average First American customer is worth: 585,000,000 / 14,145,524 ≅ 2.504 ct
Source: Violation Tracker


Photo by Cytonn Photography on Unsplash