Google recently launched a redesigned version of its Web Store where one can install extensions and web apps. One particular feature caught my attention: it marks the extensions that you already have with a check mark. How does the web page know which extensions you have installed?
Turns out the answer is simple. The Web Store is a pre-installed web app (actually, it is even hardcoded into the browser). Web apps in Chrome can have special privileges if they request them, same as extensions. A look at the
Preferences file shows the privileges of the Web Store app: management API and
webstorePrivate API. The former allows querying your installed extensions which explains how the website learns about them. But it can do more: enable or disable extensions and even uninstall them without any kind of visible notification.
webstorePrivate API is (as its name already says) meant for the Web Store only. It isn’t documented online but you can find the documentation if you search in the
chrome.dll file. It is apparently the Chrome equivalent of Gecko’s InstallTrigger, with the difference that Firefox makes
InstallTrigger available to all websites. But its functionality goes beyond that. First of all there is a method
silentlyInstall(), the documentation claims that only some extensions can be installed this way however. The list can be found in extension_webstore_private_api.cc file in the Chrome source code. Apparently, the trusted extensions are currently Google +1 Button and Google+ Notifications. There are 6 more extension IDs on the list which are currently unused (but Google could add these extensions to the Web Store at any time).
If you use Sync in Google Chrome then Web Store already knows you — thanks to method
getBrowserLogin(). And if you don’t, the method pair
getStoreLogin() makes sure that the store never forgets you even if you remove your cookies.
So much about the Web Store web app. But from my
Preferences file I learned that I have more web apps that I never installed. YouTube? Gmail? Where did these come from? Turns out, these web apps had some help getting their top popularity in the Web Store. My Google Chrome installations (at least Chrome 16 and Chrome 17, not Chrome 15 for some reason) have a file
default_apps/external_extensions.json where these apps are defined. Removing this file seems to be the only way to get rid of these apps but it will come back on the next Chrome update of course.
Obviously, the point here isn’t really cheating with the popularity ranking of the own web apps (though maybe it is, to some degree). The installed web apps are featured prominently on the new tab page which is likely what this is mostly about. After all, this page is advertising space (the
ntp entry in the
Preferences file tells me that there was an advertising campaign for Chromebook running on this page until November 8th but I have zero views — somehow I missed it). And another nice side-effect: Gmail automatically gets the notification permission and can display desktop notifications without asking the user for permission. Bad luck for all the other webmail services out there.
Don’t get me wrong: Google Chrome is a great browser and it is easy to get excited about it, argue about benchmarks, brand-new standards and such. But sometimes you get a reminder: this is a Google product and it has to benefit Google. It isn’t merely about making the web better, it is also about promoting Google products and giving them an advantage over competing services. Google may speak out for net neutrality but with their browser the own services get prioritized. Even if it requires violating your privacy.