您可以信任您的浏览器扩展程序吗? 探索注入广告的Chrome扩展程序
My perspective on JavaScript-based browser extensions has been far too naïve until this point. We were all burned by bad toolbars or evil ActiveX add-ons in the past, so when I run IE I run it with no add-ons enabled, or very few. However, with Google Chrome and it's sync feature, as well as its rich extension store, it's easy to add a bunch of add-ons and get them synced to other machines.
到目前为止,我对基于JavaScript的浏览器扩展的看法还太幼稚。 过去,我们都被糟糕的工具栏或邪恶的ActiveX加载项所烧毁,因此,当我运行IE时,我没有启用加载项,或者运行的很少。 但是,借助Google Chrome及其同步功能以及丰富的扩展存储,可以轻松添加大量插件并将其同步到其他计算机。
I wanted to download a YouTube video recently so I installed a "U-Tube Downloader" extension. It is highly rated, seemed legit, so I added it. It puts a nice Download button next to any YouTube video. Like greasemonkey script it was there when I needed and it, and out of sight otherwise.
我最近想下载YouTube视频,因此安装了“ U-Tube Downloader”扩展程序。 它获得了很高的评价,似乎是合法的,因此我添加了它。 它在任何YouTube视频旁边都带有一个漂亮的“下载”按钮。 就像油脂猴子脚本一样,它在我需要的时候就在那儿,否则就看不见了。
I installed it and forgot about it. So, put a pin in that and read on...
我安装了它,却忘了它。 所以,在上面钉上钉子,然后继续阅读...
Today I was on my own site and this happened. A video slid onto my page from the right side and started playing. I was gobsmacked. I know this site, I know its code. I know my advertisers. WTH. Where is this coming from?
今天我在自己的网站上,发生了这种情况。 一个视频从右侧滑到我的页面上并开始播放。 我被吓坏了。 我知道这个网站,我知道它的代码。 我知道我的广告客户。 WTH。 这是哪里来的?
It's the surfing video there in the lower right corner.
它是右下角的冲浪视频。
First I knee-jerk emailed my advertiser asking if they were injecting this, then I pulled back and started to Inspect Element.
首先,我大胆地向我的广告客户发送电子邮件,询问他们是否正在注入此广告,然后我撤回并开始检查元素。
Looks like there's a supporting iframe, along with an injected div. That div includes JS from "vidible.tv" and the ads are picked from "panoramatech." But that's not all.
看起来好像有一个支持的iframe,以及一个注入的div。 该div包含“ vidible.tv”中的JS,广告则来自“ panoramatech”。 但这还不是全部。
There's references to literally a half-dozen other ad-networks and then this, something called RevJet.
确实有六个其他广告网络的引用,然后称为“ RevJet”。
Search around and here's the first description of what RevJet is.
到处搜索,这是什么是RevJet。
Whoa, ok, it's an extension. But which one? Grep for "Rev" in this folder C:\Users\Scott\AppData\Local\Google\Chrome\User Data\Default\Extensions and I my U-Tube one.
哇,好吧,这是扩展。 但是哪一个呢? 这个文件夹C:\ Users \ Scott \ AppData \ Local \ Google \ Chrome \ User Data \ Default \ Extensions中“ Rev”的Grep,我是我的U型管。
有史以来最好的广告 (Nicest Ad Ever)
I particularly like the comment "nicest ad ever."
我特别喜欢评论“有史以来最棒的广告”。
This extension also injects ads from "Yllix" when I'm on YouTube, and RevJet when elsewhere. Apparently if I set revjetoptout in my local storage, I can get around this. Very NOT intuitive. I saw no options for this extension exposing this.
当我在YouTube上时,此扩展程序还会从“ Yllix”中注入广告,而在其他地方时,还会从RevJet中注入广告。 显然,如果我在本地存储中设置了revjetoptout,则可以解决此问题。 非常不直观。 我没有看到此扩展程序公开此选项的选项。
Worse yet, every once in a while, Kim Kardashian shows up in my New Tab page. Again, there's no way for non-technical relative to figure this out. And it's pretty hard for technical me to figure it out. This is deceptive at best.
更糟糕的是,每隔一段时间,金·卡戴珊(Kim Kardashian)会出现在“我的新标签页”中。 同样,非技术人员无法解决这一问题。 对于技术人员来说,要弄清楚这一点非常困难。 这充其量是骗人的。
Ugh.
啊。
Yes, I realize someone put work into this extension, and yes, I realize it was free. However, it wasn't clear that it was going to randomly inject ads into any website without asking. It wasn't clear that the ads were injected by this extension. There was/is no clear way for anyone without the ability to debug this to make it stop. Charge me a $1, but don't reach into webpages I visit and mess with my content without telling me.
是的,我知道有人在此扩展中投入了工作,是的,我意识到它是免费的。 但是,尚不清楚是否会在不询问的情况下将广告随机注入任何网站。 尚不清楚广告是否由该扩展程序注入。 没有/没有明确的方法可以让任何人都无法调试它以使其停止。 向我收取$ 1,但不要进入我访问的网页,并且在不告诉我的情况下弄乱了我的内容。
I recommend you check out chrome://extensions/ and give each enabled one a good hard look. Consider disabling or uninstalling extensions you may have forgotten about or ones you don't explicitly trust. If you're a dev, consider reading the code within the extensions and make sure you're getting what you expect.
我建议您检查chrome:// extensions /并为每个启用的外观赋予良好外观。 考虑禁用或卸载您可能已经忘记的扩展名或不明确信任的扩展名。 如果您是一名开发人员,请考虑阅读扩展中的代码,并确保获得期望的结果。
关于斯科特 (About Scott)
Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.
斯科特·汉塞尔曼(Scott Hanselman)是前教授,前金融首席架构师,现在是演讲者,顾问,父亲,糖尿病患者和Microsoft员工。 他是一位失败的单口相声漫画家,一个玉米种植者和一本书的作者。