Hacker News new | past | comments | ask | show | jobs | submit login

Detection is always a cat and mouse game. Using an extension in a real browser (instead of electron/headless chrome) is probably one of the hardest to detect because it requires running a "real" browser.

Of course somebody will find a way to detect it, then the extension maker will patch it, and the cycle will continue.

Correct me if I’m wrong, but is it not still as simple as knowing the “chrome-extension://“ unique id of the extension? I’m aware of the cat and mouse aspect of scraping and that was one of the pitfalls I’ve been wary of as a fingerprinting vector.

I'd be surprised if sites had permission to read a chrome-extension:// URL. That'd be a sizable privacy leak.

I'm not sure about the chrome-extension protocol, but this API still seems to be present: https://developer.chrome.com/extensions/runtime#method-sendM...

I just tested in chrome 77, and I could only do `chrome.runtime.sendMessage("clngdbkpkpeebahjckkjfobafhncgmne", {},{},console.log)` from within the Stylus extension page, not from an external page like hacker news.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact