The name hangout_services suggests this is some old tech debty hack intended to make developing Google Hangouts easier by giving that team a direct stream of telemetry. For those who have forgotten, Hangouts was the first app that did video calling in the browser using what became WebRTC. If you look at what this module is doing it's exposing stuff like CPU/GPU/RAM usage/hardware details back to the app that it wouldn't normally have.
My guess is that Google will react to this Twitter thread by simply deleting it. Hangouts has been a dead product for a while; if their server side code still uses it they can surely remove it as presumably the Chrome team monitor WebRTC performance themselves in a multi-site way now, given the much wider usage.
No, this is used by Google Meet right now. Open the "Troubleshooting" panel in meet.google.com in Chrome, and you'll see live system wide CPU usage reporting :)
In principle, that's something that could be allowed without giving access "to" Google/the site owner—even allowing the site author to provide their own functions for formatting and drawing the values—and thus could be allowed for _any_ website. Designing and implementing it is a fun technical problem, so it's a wonder why it wasn't, considering the motivations of a typical programmer (and those at Google especially).
Right, Meet is derived from the Hangouts codebase, I still think they'll probably just delete it. Meet is a stable product, how valuable is this special privilege now?
Apart from the privacy violation, isn't this a clear antitrust issue - Google is misusing their Browser dominance to give themselves and edge in the videoconferencing space.
Could it be that it tracks CPU / GPU usage etc to finetune what quality video streams to use? It's nonstandard but I can well imagine a native app would do this as well.
I might be able to shed some light on this (disclaimer: Xoogler).
I worked for a time on Google's internal videoconferencing platform, called GVC. This was in 2010-2011 at a time when a lot of the company's VC equipment was proprietary, specifically Cisco Tandberg units. These were expensive and would be expensive to roll out to thousands of meeting rooms.
around this time a different team was developing Hangouts. It's been awhile so my memory may be off but I think it was called Google Meet at the time? or maybe that was later? It's hard to keep track. I think Hangouts was the name adopted when Google+ came along and rolled Hangouts into its product offering.
There were different configurations of GVC but the most common were these All-in-One ("AIO") monitor/computer combos. It was a full Intel PC. So the GVC platform was a custom Linux distro. The system was designed so GVCs could talk to Google services, which was nontrivial, and so software updates could be rolled out. It kept old distros too in case one didn't boot. These GVCs had to be named and a whole bunch of other issues.
Additionally they needed support for various hardware like a touch panel to dial. Larger units required larger PTZ camera support and support for various microphones.
Anyway, Hangouts became the stack GVC was built on. This ultimately replaced virtually all Tandbergs and saved a fortune. This system was certainly still in use by 2017. I can't speak for later.
Monitoring was a part of all this. So when I see there are *.google.com specific APIs, we need to be sure we're talking about this accurately. Like can Google query any Chrome instance in the world? Or is it only from/to google.com? I don't know the answer and the Tweet doesn't specify.
But given the name hangouts_services and the domain restriction I consider it highly likely this is purely to support monitoring embedded Chrome for GVC. I could be wrong.
I don't think it's this. Tried a Meet call in Firefox just now. If you click the troubleshooting button, there's a CPU chart greyed out that says "try Chrome to see your CPU usage." Sure enough, in Chrome you can view how much CPU Meet is using, or maybe it's systemwide idk, either way I don't think is available through regular APIs. Edit: Definitely systemwide as confirmed with some `yes` background tasks.
P.S. The naming confusion always comes up. GVC is such a nice clear name.
This seems pretty unequivocal then- they're clearly using this to provide additional functionality to their own applications (at least Meet) that other companies who don't control the browser can't match.
It's a nice story but it doesn't plausibly have any remote connection to this. I'm sure the people running the GCV platform with a custom Linux distro have some other way of reporting machine stats than literally "put our custom extension into every Chrome install ever".
> Like can Google query any Chrome instance in the world? Or is it only from/to google.com?
I'm sorry, I don't understand the distinction you're trying to make? Yes, it sounds like the API is exposed just to the content running on *.google.com, but that's still a lot like "Google can query any Chrome instance" (that visits their site, but that's ~100% given that even if you don't visit Google services, Chrome pulls in NTP content from Google by default).
I don't think this is being used maliciously, but it's still problematic if Google can troubleshoot problems this way, and their competitors in the same space can't. There's no API for Zoom, right?
That API is available to all extensions. So Zoom could create an extension that uses that API and get their users to install that extension and approve the permission for that API.
I never worked at Google.... but this doesn't track for me.
You're saying the reason the 'retail' Google Chrome has this bundled plugin is so Google can get observability on CPU usage on internal appliances for an internal video conferencing platform?
I'm reading the tea leaves here. I have no direct knowledge of the situation. I'm retelling a story that seems (at least to me) to be consistent with what little information is here. There's plenty you can criticize Google on but I'm not sure this qualifies. Let's not attribute malice without cause. Or even negligence. It's fair to ask if this needs to be here still and what it's for. Let's just not fly off the handle prematurely.
As for "retail" Chrome having this plugin, it would make total sense. Chrome is a massive codebase. Maintaining a fork is a significant amount of effort. It would be far easier to add APIs to Chrome and whitelist them for only google.com extensions/JS.
I'm not sure what these APIs are exactly and why they're there, but Firefox also does something similar. It has special APIs available only to Mozilla and/or Firefox domains, for things like installing extensions, or helping with first-run experience.
A blog post about it was shared here on Hacker news <12 months ago, but I'm having trouble finding it...
apis are public, documented and the domain allowlist is both included in the UI and about:config (save from android playstore version where they hide everything to make the browser pure garbage for whatever reason)
and I'm pretty sure devs would at least think about adding your domain by default if you ask nicely with a great use case on bugzilla.
What? You think that Mozilla devs would think about adding your domain to the whitelist of domains allowed to install extensions if you just asked nicely? That would be insane from a security perspective.
But that is for websites directly related to operating the browser, whereas chrome is exposing APIs used by unrelated google products such as google meet.
This could possibly also be a violation of anti-trust laws since it is using a monopoly in one market (browsers) to get an advantage in another (video conferencing).
It's pretty standard among browsers. The risk should be about equal to someone spoofing the domains that the browser downloads software updates from, and you can turn it off via prefs if you really don't want it.
Not really. Browser developers add lots of different website-specific hacks to make sites behave better in their browser. Mozilla actually used to do this a lot, when they were originally the underdog 20+ years ago and were trying to get people to switch to the Mozilla suite (and then Firefox), when the argument against switching was often related to websites not working or rendering properly in Mozilla/Firefox that behaved properly in IE.
(Not that this is not the same thing as a website developer adding browser-specific hacks to make their site behave better/worse in a particular browser.)
Those are APIs related to browser functionality and onboarding. They're not there to advantage one of Mozilla's other product offerings at the expense of similar products offered by other companies.
Yes and they should also be criticized for it. Mozilla isn't exactly known for caring about privacy even if their marketing wants you to believe otherwise.
As for the anti-trust aspect, here the market share matters and Firefox is insignificant in that regard.
Disclaimer: I work at Google, but not on Chrome or on these APIs.
I think the explanation is quite mundane. An example usage: open google meet, start an empty meeting (an “instant meeting”), click the “…” menu, click “troubleshooting and help”.
There’ll be plots of various stats, including CPU utilization. I think meet will also helpfully suggest closing tabs if your machine is overloaded during a meet call, too.
It’s very helpful, I check it from time to time.
Edit: now that I think about it, I’m not sure about the suggestion to close tabs is actually a thing. I’ve only actually used the stats view.
> There’ll be plots of various stats, including CPU utilization. I think meet will also helpfully suggest closing tabs if your machine is overloaded
This is not mundane at all, it's a perfect example of giving your product an unfair competitive advantage.
If Meet users are told why their meeting isn't working correctly but Zoom, Teams and Slack, Meet users are going to have a better experience that Zoom, Teams or Slack has no way of replicating.
No wonder every other meeting provider pushes you aggressively into using their desktop app, Google Meet's desktop app is just Chrome!
At least other video conferencing tools don't lag like Meet, so users don't need to debug ;) I think this has to do with all of them using H.264 while Meet uses VP8/9.
> If Meet users are told why their meeting isn't working correctly but Zoom, Teams and Slack, Meet users are going to have a better experience that Zoom, Teams or Slack has no way of replicating.
I had to re-read this a few times; did you accidentally omit a word?
> If Meet users are told why their meeting isn't working correctly but Zoom, Teams and Slack aren't, Meet users are going to have a better experience that Zoom, Teams or Slack has no way of replicating.
I fully agree with you, though; it's anticompetitive for them to use Chrome to give their other products an advantage.
I believe this is the point, rather than being mundane. Other video conference tools are not able to offer this debugging option - which you have pointed out is useful.
You have a competitor, Zoom. They have an in-browser version. Can they use this API for troubleshooting performance issues? No? The European regulators might be interested in that.
Perhaps this is one reason why Meet performs well in the browser and Zoom doesn't, meaning Zoom users use the native app if they want reasonable performance (particularly with many people in the meeting).
Apparently, this system statistics API is generally available to extension developers. The underlying issue is that they bundle a hidden "Hangouts Service Extension" with Chrome. Zoom, Teams, etc. would have access to this API through a Chrome extension, although they wouldn't have the advantage of having that extension pre-installed.
Mind you, Zoom does everything in their power to steer users away from their web client and toward their ~~malware~~ desktop client, so I don't think they're too upset about the status quo.
I agree it is very useful! This is also how I discovered this in the first place.
But that is not at all my point. The point is that google.com web properties have access to an API and a browser capability that is not available to it's competitors. Google only allows reading CPU info for itself.
The reason the data is not available for everyone, is because it would be a huge tracking vector. Same reason we don't allow webpages to read the device hostname, or username, or Chrome profile name. Google exposes this to google.com because it trusts itself. That poses this antitrust issue though.
This explanation was the first I read of what this actually does (yeah, yeah, I didn’t read the linked article first) and that’s a lot worse than I expected.
Yeah a whole lot of things really do seem mundane... once you have already accepted the fact you are tracked down to the cpu-percentage-usage-in-time level
This isn't a mundane explanation though: this is exactly the example Luca gives in the original thread. It's anti-competitive, because it's functionality only available to Google Meet. Google is using its browser monopoly to advantage its other products.
Don't you find it hilarious how people who work or worked at Google happen to think that things Google does are "mundane", even when other people think they're outrageous? Hilarious coincidence, really. Can't stop laughing.
Yeah, crazy to think that Google of all companies would track people in unexpected ways :eyeroll:.
Your post is evidence that the scrutiny Google gets is actually helping matters. Companies, especially powerful ones, should default to not tracking personal data any more than necessary. I'm glad to hear that at least one department took that seriously.
Even if you take the mundane explanation -- that this was just to allow Google engineers to troubleshoot user issues with Hangouts -- you still have a company using their market power to give their product (Hangouts) a benefit that no other product (Zoom, Teams, literally any other WebRTC video conferencing solution.) gets to use.
I think the submission is a bit wrong in editing the title from the original. I understood it like this:
Chrome has a built-in extension that uses public Chrome APIs that are easily available to other Chrome extensions. The issue described is that this extension shares this information to Google's own domains when they're communicating with the
extension, while other websites can't do this.
For what its worth, I'm on Brave (chromium based) and this also works there, so it appears to not necessarily be only Chrome but potentially any chromium browser where they haven't specifically blocked/disabled this
There is potentially an innocuous and straightforward explanation for this. Imagine the browser comes with some functionality implemented as a google.com-signed web app (as opposed to compiled/linked C++ as a lot of the older Chrome UI).
It would be silly if that PWA-implemented browser code would need permission to access the system information, since it is part of the browser's functionality itself.
Another use case for a private API (that has long existed) is integration of the Chrome browser with Google-specific websites that provide core functionality, like the Chrome Web store, to allow for installation/removal of extensions from a web page.
I think it is a mistake to give a company like Google the benefit of the doubt. Consumer protection is a lot like security, we should theorize the worst case scenario, and assume the company is willing to work against consumer interest if it serves their own interests.
If there exists a mundane and reasonable explanation for this, that doesn’t matter if there also exists a potential to exploit it in a way that harms consumers’ interests.
Yes, and that's the issue: Google is bundling an extension into Chrome that is unrelated to the operation of the browser itself, which gives another one of its products (Hangouts) privileged access that no other videoconferencing app has, at least not without the big step of getting users to manually install another extension.
Don't know about the rest, but ungoogled chromium scrambles every occurrence of the string "google" in the code specifically to avoid things like this, so probably not.
Yes, Edge has it enabled. If you open Google Meet troubleshooting in Edge you can see your system CPU. If you try it in Firefox it says "Try Google Chrome to see your CPU usage".
Safari also has some Apple specific features, like being able to show a special dialog for logging into other websites with your Apple account that works differently from passkeys or password autofill, or the redirect based flow they make other browsers go through.
Always wondered how it's implemented in JS. WebAuthn with proprietary arguments...?
Google has done this sort of thing before. My memory is fuzzy as to the details, but I think it was Native Client being allowlisted at the domain level to only work on Hangouts, or something like that.
I briefly worked on Internet Explorer in ages past. They would develop APIs with the Windows team for use in IE to give IE special features that other browsers couldn't implement.
So this is a lot like Microsoft using specialized formats or APIs in Windows that competitors cannot access, which was a problem throughout the 90s. The problem never went away - it has just changed appearance.
> So, Google Chrome gives all *.google.com sites full access to system / tab CPU usage, GPU usage, and memory usage. It also gives access to detailed processor information, and provides a logging backchannel.
So I guess the question becomes how quickly you can spoof this ?
If you mean can another domain trick Chrome into letting it access those APIs… probably not; it seems it’s based on the browser extension architecture which is already somewhat hardened and I believe doesn’t even load the code for the extension if you’re not on a matching domain (though the typical protection goes the other way around — preventing extensions from accessing website data without permission).
Or anyone who controls your DNS resolution which has a number of paths (for example a local hosts file, possibly a router, changing your config or how you get your config to a malicious DNS server, etc)
In what world does "system / tab CPU usage, GPU usage, and memory usage" mean "full access to the system"? Any Chrome extension can access this info easily, the point that the tweet makes is that there's a built-in Chrome extension that shares this info with Google's own websites without any confirmation.
Is it really that easy? I just kind of assumed that devs could create subdomains under a dev TLD like googdev123.com, but not google.com until it was a fully-fledged product release.
Only to leak your CPU/GPU utilization though as far as I understand it. Those can also be exposed in other ways by legitimate JS/WebGPU by measuring/profiling shader runs/etc.
So if you install your own certificate authority and then spoof the DNS it might be possible? Not so useful as an attack vector, but potentially useful for people who want to do fun things with the browsers they own.
Google Docs is designed to not let you run arbitrary JS in a trusted (i.e. google.com origin) context, or else the author of any doc you visit could act as you on Google properties.
Firefox’s website “interventions” are documented on Firefox’s about:compat page. Each intervention has a link to more information about the website issue it’s fixing and a button to turn it off.
You can build Chrome without this by setting `enable_hangout_services_extension` to false. Of course, then none of the WebRTC stuff on google.com will work.
> So, Google Chrome gives all *.google.com sites full access to system / tab CPU usage, GPU usage, and memory usage. It also gives access to detailed processor information, and provides a logging backchannel.
Those things can absolutely be used to "improve" fingerprinting. I don't think it's fair to assume it's being used for that though, without any further evidence. But it certainly could be used for it.
Anyone have any further context? As it stands right now, it's just a random claim without any proof what so ever? There is link in another comment, but how is that related to the tweet?
Google doesn't need any extra help to track users who are browsing Google sites in the Google browser. It is probably instead anticompetitive functionality that lets Google sites work better in Chrome in ways that other sites can't replicate.
> Google doesn't need any extra help to track users who are browsing Google sites in the Google browser.
I would not be surprised if there are cases where this would let them track users they otherwise couldn't. Like someone running two isolated Chrome instances with separate network connections but on the same PC.
If it's really accessible from *.google.com, wouldn't this be simple to verify/exploit by using Google Sites (they publish your site to sites.google.com/view/<sitename>)?
Google spent billions muscling their way into their majority market share of web browsers, now they're going to keep on cashing out with unfair practices like these.
Last time I used Google Chrome, if you logged into a Google account while using Chrome, it automatically logged you into that Google account in the browser itself.
Isn't that implemented in a similar way to this?
I agree with the concerns about unfair competition, and I think this auto-login "feature" could also qualify as an example.
Chrome extensions can access CPU and GPU statistics via a public API that any extension developer can use. Google Chrome comes bundled with a hidden "Hangouts Services" extension, which has permissions for *.google.com (that extension's ID is the 'nkeimhogjdpnpccoofpliimaahmaaome' referenced in the examples). That extension has a function that will return those stats when called from JavaScript running on a webpage. As a result, any JavaScript running on *.google.com can get the current CPU and GPU utilization.
It's an API that is available to extension developers. The wrinkle here is that Google bundles a hidden "Hangouts Services" extension in Chrome with permissions for *.google.com (the extension's ID is the "nkeimhogjdpnpccoofpliimaahmaaome" referenced in the examples).
And? Google uses Chrome to retrieve data about the user.
Every Chromium-based browser has 'hidden' APIs only accessible on certain domains. That's how the custom (read: closed source) extensions work. "Component extensions" are used to interact with them normally: https://chromium.googlesource.com/chromium/src/+/main/extens...
Any whitelisted domains for these APIs cannot be written to using user-installed extensions, in order for a malicious extension to not be able to inject a script and execute the special API.
At Opera, we previously tried attacking the underlying implementation about how these 'hidden' APIs are accessible. Although we found a lot of Opera-specific issues, the Chromium logic seems sound and a "bypass" for other websites accessing the API is unlikely. It also seems that the developer here was just a bit overzealous in allowing this API to be accessed from all google.com subdomains.
For anyone having trouble with the logic here, which seems like a lot of people in this thread for some reason:
[Google's browser] comes with [code] that [does things] in a default installation of [Google's browser] that [Google's competitors] can't do in a default installation of [Google's browser].
Didn't you leave out that [Google's browser] allows [Google's websites] to do things [other websites] cannot?
Ostensibly [Google's websites] are websites like any other, but [Google's browser] treats them differently. IIRC Mozilla does similar things for addons.mozilla.org, but googles seem more broad since they are not as clearly linked to browser functionality.
I don't have a problem with the logic, I'm just not sure why I should care. I imagine Edge probably can do magic stuff on microsoft sites that it can't on the rest of the web too. It makes sense for the browser to have a higher level of trust for the company that makes it than it does for the wider web.
Some people remember when the government went after Microsoft for having secret APIs that only IE could use.
... but other people remember that in the time since, that entire Microsoft monopoly fiasco is held up as an example of bad prosecution, and we don't go after companies like that anymore.
People arguing that this is "just extension" are ignoring the fact that extensions have special priviledges compared to websites, and you would not want all websites to have the full power of arbitrary extension.
If it's "just extension", make it available to all domains.
If correct, once you access a `.google.com` website, the browser makes available through javascript an API allowing the querying of a lot of information about all the open tabs (if open, for example, your banking website) and can send the collected information to the "mother ship".
If true, as usually, a lot of people have a Google tab open, you can easily deduct what it means.
This is definitely something to be investigated, for the moment, we only have a tweet.
> an API allowing the querying of a lot of information about all the open tabs (if open, for example, your banking website)
No. It uses the chrome.system.cpu API, that any extension can access, which gives CPU and RAM utilization info about your tabs. It doesn't give anyone "a lot of information about all the open tabs", and does nothing to expose your banking website...
The allowlisting going on here is that normally when you install an extension in Chrome it asks you to confirm the access to those APIs on the sites where the extension wants to run, but this one comes pre-confirmed from the factory. A quick GitHub search finds ~1000 manifest files that list system.cpu, possibly because that API is also in the boilerplate example chrome extension manifest.
So the concern is that Google is making Hangouts better in a way that is hard for competitors to replicate? (And by "hard," I mean, "competitors have to ask users to install something," not hard in any HN-relevant sense of the word.) This forum sure has a lot of wanna-be Handicapper Generals. https://en.wikipedia.org/wiki/Harrison_Bergeron
If it's easy for users to just install the extension, then obviously there's no point in Google doing this in the first place. The fact that they bothered sounds like a pretty compelling argument for it being worth caring about.
Worth caring about why?? Because you think Google shouldn’t be allowed to make things better for their users? Like I said, you are so concerned about fairness you’re missing the point.
The name hangout_services suggests this is some old tech debty hack intended to make developing Google Hangouts easier by giving that team a direct stream of telemetry. For those who have forgotten, Hangouts was the first app that did video calling in the browser using what became WebRTC. If you look at what this module is doing it's exposing stuff like CPU/GPU/RAM usage/hardware details back to the app that it wouldn't normally have.
My guess is that Google will react to this Twitter thread by simply deleting it. Hangouts has been a dead product for a while; if their server side code still uses it they can surely remove it as presumably the Chrome team monitor WebRTC performance themselves in a multi-site way now, given the much wider usage.
No, this is used by Google Meet right now. Open the "Troubleshooting" panel in meet.google.com in Chrome, and you'll see live system wide CPU usage reporting :)
In principle, that's something that could be allowed without giving access "to" Google/the site owner—even allowing the site author to provide their own functions for formatting and drawing the values—and thus could be allowed for _any_ website. Designing and implementing it is a fun technical problem, so it's a wonder why it wasn't, considering the motivations of a typical programmer (and those at Google especially).
15 replies →
Right, Meet is derived from the Hangouts codebase, I still think they'll probably just delete it. Meet is a stable product, how valuable is this special privilege now?
15 replies →
Apart from the privacy violation, isn't this a clear antitrust issue - Google is misusing their Browser dominance to give themselves and edge in the videoconferencing space.
Could it be that it tracks CPU / GPU usage etc to finetune what quality video streams to use? It's nonstandard but I can well imagine a native app would do this as well.
I might be able to shed some light on this (disclaimer: Xoogler).
I worked for a time on Google's internal videoconferencing platform, called GVC. This was in 2010-2011 at a time when a lot of the company's VC equipment was proprietary, specifically Cisco Tandberg units. These were expensive and would be expensive to roll out to thousands of meeting rooms.
around this time a different team was developing Hangouts. It's been awhile so my memory may be off but I think it was called Google Meet at the time? or maybe that was later? It's hard to keep track. I think Hangouts was the name adopted when Google+ came along and rolled Hangouts into its product offering.
There were different configurations of GVC but the most common were these All-in-One ("AIO") monitor/computer combos. It was a full Intel PC. So the GVC platform was a custom Linux distro. The system was designed so GVCs could talk to Google services, which was nontrivial, and so software updates could be rolled out. It kept old distros too in case one didn't boot. These GVCs had to be named and a whole bunch of other issues.
Additionally they needed support for various hardware like a touch panel to dial. Larger units required larger PTZ camera support and support for various microphones.
Anyway, Hangouts became the stack GVC was built on. This ultimately replaced virtually all Tandbergs and saved a fortune. This system was certainly still in use by 2017. I can't speak for later.
Monitoring was a part of all this. So when I see there are *.google.com specific APIs, we need to be sure we're talking about this accurately. Like can Google query any Chrome instance in the world? Or is it only from/to google.com? I don't know the answer and the Tweet doesn't specify.
But given the name hangouts_services and the domain restriction I consider it highly likely this is purely to support monitoring embedded Chrome for GVC. I could be wrong.
I don't think it's this. Tried a Meet call in Firefox just now. If you click the troubleshooting button, there's a CPU chart greyed out that says "try Chrome to see your CPU usage." Sure enough, in Chrome you can view how much CPU Meet is using, or maybe it's systemwide idk, either way I don't think is available through regular APIs. Edit: Definitely systemwide as confirmed with some `yes` background tasks.
P.S. The naming confusion always comes up. GVC is such a nice clear name.
This seems pretty unequivocal then- they're clearly using this to provide additional functionality to their own applications (at least Meet) that other companies who don't control the browser can't match.
9 replies →
It's a nice story but it doesn't plausibly have any remote connection to this. I'm sure the people running the GCV platform with a custom Linux distro have some other way of reporting machine stats than literally "put our custom extension into every Chrome install ever".
You can try it for yourself, just
on any *.google.com page.
> Like can Google query any Chrome instance in the world? Or is it only from/to google.com?
I'm sorry, I don't understand the distinction you're trying to make? Yes, it sounds like the API is exposed just to the content running on *.google.com, but that's still a lot like "Google can query any Chrome instance" (that visits their site, but that's ~100% given that even if you don't visit Google services, Chrome pulls in NTP content from Google by default).
I don't think this is being used maliciously, but it's still problematic if Google can troubleshoot problems this way, and their competitors in the same space can't. There's no API for Zoom, right?
That API is available to all extensions. So Zoom could create an extension that uses that API and get their users to install that extension and approve the permission for that API.
1 reply →
I never worked at Google.... but this doesn't track for me.
You're saying the reason the 'retail' Google Chrome has this bundled plugin is so Google can get observability on CPU usage on internal appliances for an internal video conferencing platform?
I'm reading the tea leaves here. I have no direct knowledge of the situation. I'm retelling a story that seems (at least to me) to be consistent with what little information is here. There's plenty you can criticize Google on but I'm not sure this qualifies. Let's not attribute malice without cause. Or even negligence. It's fair to ask if this needs to be here still and what it's for. Let's just not fly off the handle prematurely.
As for "retail" Chrome having this plugin, it would make total sense. Chrome is a massive codebase. Maintaining a fork is a significant amount of effort. It would be far easier to add APIs to Chrome and whitelist them for only google.com extensions/JS.
Fascinating!
So it's possible most of Google didn't even know this was possible until know.
Until know.
Now there's probably DOZENS of Product Managers approaching their product's tech lead going "OK, now...hear me out...."
There are zero product managers who read this Twitter thread about a random decade-old Chromium hack and will do anything about it.
1 reply →
Looks like they added this in October 2013: https://github.com/chromium/chromium/commit/422c736b82e7ee76...
Here's that review URL: https://codereview.chromium.org/35873003
I'm not sure what these APIs are exactly and why they're there, but Firefox also does something similar. It has special APIs available only to Mozilla and/or Firefox domains, for things like installing extensions, or helping with first-run experience.
A blog post about it was shared here on Hacker news <12 months ago, but I'm having trouble finding it...
Hardly the same.
apis are public, documented and the domain allowlist is both included in the UI and about:config (save from android playstore version where they hide everything to make the browser pure garbage for whatever reason)
and I'm pretty sure devs would at least think about adding your domain by default if you ask nicely with a great use case on bugzilla.
What? You think that Mozilla devs would think about adding your domain to the whitelist of domains allowed to install extensions if you just asked nicely? That would be insane from a security perspective.
But that is for websites directly related to operating the browser, whereas chrome is exposing APIs used by unrelated google products such as google meet.
This could possibly also be a violation of anti-trust laws since it is using a monopoly in one market (browsers) to get an advantage in another (video conferencing).
I wrote a post about the UITour parts a long time ago: https://www.mkelly.me/blog/content-uitourjs/
It's pretty standard among browsers. The risk should be about equal to someone spoofing the domains that the browser downloads software updates from, and you can turn it off via prefs if you really don't want it.
A commit to Webkits Quirks.cpp was shared last month [0]. Probably not what you are referring to but has a similar vibe.
[0] https://news.ycombinator.com/item?id=40631439
Not really. Browser developers add lots of different website-specific hacks to make sites behave better in their browser. Mozilla actually used to do this a lot, when they were originally the underdog 20+ years ago and were trying to get people to switch to the Mozilla suite (and then Firefox), when the argument against switching was often related to websites not working or rendering properly in Mozilla/Firefox that behaved properly in IE.
(Not that this is not the same thing as a website developer adding browser-specific hacks to make their site behave better/worse in a particular browser.)
Those are APIs related to browser functionality and onboarding. They're not there to advantage one of Mozilla's other product offerings at the expense of similar products offered by other companies.
Yes and they should also be criticized for it. Mozilla isn't exactly known for caring about privacy even if their marketing wants you to believe otherwise.
As for the anti-trust aspect, here the market share matters and Firefox is insignificant in that regard.
Disclaimer: I work at Google, but not on Chrome or on these APIs.
I think the explanation is quite mundane. An example usage: open google meet, start an empty meeting (an “instant meeting”), click the “…” menu, click “troubleshooting and help”.
There’ll be plots of various stats, including CPU utilization. I think meet will also helpfully suggest closing tabs if your machine is overloaded during a meet call, too.
It’s very helpful, I check it from time to time.
Edit: now that I think about it, I’m not sure about the suggestion to close tabs is actually a thing. I’ve only actually used the stats view.
> I think the explanation is quite mundane
> There’ll be plots of various stats, including CPU utilization. I think meet will also helpfully suggest closing tabs if your machine is overloaded
This is not mundane at all, it's a perfect example of giving your product an unfair competitive advantage.
If Meet users are told why their meeting isn't working correctly but Zoom, Teams and Slack, Meet users are going to have a better experience that Zoom, Teams or Slack has no way of replicating.
No wonder every other meeting provider pushes you aggressively into using their desktop app, Google Meet's desktop app is just Chrome!
Example of why this is not mundane https://x.com/fedekauffman/status/1811019707165856259
At least other video conferencing tools don't lag like Meet, so users don't need to debug ;) I think this has to do with all of them using H.264 while Meet uses VP8/9.
7 replies →
> If Meet users are told why their meeting isn't working correctly but Zoom, Teams and Slack, Meet users are going to have a better experience that Zoom, Teams or Slack has no way of replicating.
I had to re-read this a few times; did you accidentally omit a word?
> If Meet users are told why their meeting isn't working correctly but Zoom, Teams and Slack aren't, Meet users are going to have a better experience that Zoom, Teams or Slack has no way of replicating.
I fully agree with you, though; it's anticompetitive for them to use Chrome to give their other products an advantage.
2 replies →
I believe this is the point, rather than being mundane. Other video conference tools are not able to offer this debugging option - which you have pointed out is useful.
The user could easily install an extension that provides the same debugging capability. Most users don't care, so they won't need it.
3 replies →
You have a competitor, Zoom. They have an in-browser version. Can they use this API for troubleshooting performance issues? No? The European regulators might be interested in that.
Perhaps this is one reason why Meet performs well in the browser and Zoom doesn't, meaning Zoom users use the native app if they want reasonable performance (particularly with many people in the meeting).
Apparently, this system statistics API is generally available to extension developers. The underlying issue is that they bundle a hidden "Hangouts Service Extension" with Chrome. Zoom, Teams, etc. would have access to this API through a Chrome extension, although they wouldn't have the advantage of having that extension pre-installed.
Mind you, Zoom does everything in their power to steer users away from their web client and toward their ~~malware~~ desktop client, so I don't think they're too upset about the status quo.
3 replies →
Very cool that Google built an anticompetitive browser that offers such useful features only to themselves.
Very cool of you as a Google employee to say the quiet part out loud for us.
Are customers better off or worse off?
18 replies →
Monopoly leveraging is illegal, not mundane.
Are features like this available to other websites outside of Google? Say, could Zoom also add a feature like this?
A level playing field for competition? This is Google we're talking about.
If Zoom makes a chrome extension, then yes.
11 replies →
I agree it is very useful! This is also how I discovered this in the first place.
But that is not at all my point. The point is that google.com web properties have access to an API and a browser capability that is not available to it's competitors. Google only allows reading CPU info for itself.
The reason the data is not available for everyone, is because it would be a huge tracking vector. Same reason we don't allow webpages to read the device hostname, or username, or Chrome profile name. Google exposes this to google.com because it trusts itself. That poses this antitrust issue though.
And they do the same thing with YouTube by slowing down the initial load in other browsers. Google is evil, and this is the least of it.
"don't be evil"
[flagged]
2 replies →
Oh wow.
This explanation was the first I read of what this actually does (yeah, yeah, I didn’t read the linked article first) and that’s a lot worse than I expected.
So helpful that no other website and no other browser can use it?
Looking forward to seeing this comment in discovery
The monopolists' first step towards unfairly dominating a market always seems pretty mundane.
if we are guessing I would drawn my guess from the hyper controlled access to android play services, which do much more than what you are guessing.
my guess would also include some nifty debug info from FLoC ;)
Yeah a whole lot of things really do seem mundane... once you have already accepted the fact you are tracked down to the cpu-percentage-usage-in-time level
[flagged]
This isn't a mundane explanation though: this is exactly the example Luca gives in the original thread. It's anti-competitive, because it's functionality only available to Google Meet. Google is using its browser monopoly to advantage its other products.
33 replies →
Don't you find it hilarious how people who work or worked at Google happen to think that things Google does are "mundane", even when other people think they're outrageous? Hilarious coincidence, really. Can't stop laughing.
1 reply →
Yeah, crazy to think that Google of all companies would track people in unexpected ways :eyeroll:.
Your post is evidence that the scrutiny Google gets is actually helping matters. Companies, especially powerful ones, should default to not tracking personal data any more than necessary. I'm glad to hear that at least one department took that seriously.
13 replies →
Even if you take the mundane explanation -- that this was just to allow Google engineers to troubleshoot user issues with Hangouts -- you still have a company using their market power to give their product (Hangouts) a benefit that no other product (Zoom, Teams, literally any other WebRTC video conferencing solution.) gets to use.
I hope the anti-trust regulators notice this one.
I think the submission is a bit wrong in editing the title from the original. I understood it like this:
Chrome has a built-in extension that uses public Chrome APIs that are easily available to other Chrome extensions. The issue described is that this extension shares this information to Google's own domains when they're communicating with the extension, while other websites can't do this.
There's no "special hidden API".
"special" in the sense that unlike other extensions which are user-installed, this one is built into Chrome.
"hidden" in the sense that when I go to chrome://extensions it is not listed.
And as you already mentioned, it's a Chrome API.
Paste this into a Chrome DevTools console on a Google site - sure looks like a special API to me:
For what its worth, I'm on Brave (chromium based) and this also works there, so it appears to not necessarily be only Chrome but potentially any chromium browser where they haven't specifically blocked/disabled this
1 reply →
This does not work (as expected) on `ungoogled-chromium`.
[flagged]
3 replies →
A "built-in extension" is still part of the browser unless it can be disabled.
There is potentially an innocuous and straightforward explanation for this. Imagine the browser comes with some functionality implemented as a google.com-signed web app (as opposed to compiled/linked C++ as a lot of the older Chrome UI).
It would be silly if that PWA-implemented browser code would need permission to access the system information, since it is part of the browser's functionality itself.
Another use case for a private API (that has long existed) is integration of the Chrome browser with Google-specific websites that provide core functionality, like the Chrome Web store, to allow for installation/removal of extensions from a web page.
I think it is a mistake to give a company like Google the benefit of the doubt. Consumer protection is a lot like security, we should theorize the worst case scenario, and assume the company is willing to work against consumer interest if it serves their own interests.
If there exists a mundane and reasonable explanation for this, that doesn’t matter if there also exists a potential to exploit it in a way that harms consumers’ interests.
2 replies →
Any time things like this are needed, I think it should ask the user for permission first.
3 replies →
This is functionally equivalent.
Same thing with more steps?
Looks like this is accessing "chrome.system.cpu" API, which any extension can access (given the "system.cpu" permissions).
https://developer.chrome.com/docs/extensions/reference/api/s...
You can see all the permissions requested by this extension here:
https://source.chromium.org/chromium/chromium/src/+/main:chr...
Yes, and that's the issue: Google is bundling an extension into Chrome that is unrelated to the operation of the browser itself, which gives another one of its products (Hangouts) privileged access that no other videoconferencing app has, at least not without the big step of getting users to manually install another extension.
Hardly surprising. This is very Google-like behavior. The question is do other Chromium browsers have this? Edge? Brave? Chromium? Ungoogled Chromium?
Don't know about the rest, but ungoogled chromium scrambles every occurrence of the string "google" in the code specifically to avoid things like this, so probably not.
It is disabled: https://github.com/ungoogled-software/ungoogled-chromium/blo...
If this flag is true then the extension is added: https://source.chromium.org/chromium/chromium/src/+/main:chr... and https://source.chromium.org/chromium/chromium/src/+/main:chr...
Scrambles to a static unpurchased domain?
6 replies →
Unless Chromium does something like atob("Z29vZ2xlLmNvbQ==")
1 reply →
What if it’s checking a hash of the domain name?
Yes, Edge has it enabled. If you open Google Meet troubleshooting in Edge you can see your system CPU. If you try it in Firefox it says "Try Google Chrome to see your CPU usage".
Safari also has some Apple specific features, like being able to show a special dialog for logging into other websites with your Apple account that works differently from passkeys or password autofill, or the redirect based flow they make other browsers go through.
Always wondered how it's implemented in JS. WebAuthn with proprietary arguments...?
Google has done this sort of thing before. My memory is fuzzy as to the details, but I think it was Native Client being allowlisted at the domain level to only work on Hangouts, or something like that.
I briefly worked on Internet Explorer in ages past. They would develop APIs with the Windows team for use in IE to give IE special features that other browsers couldn't implement.
And isn't this one of the many things Microsoft got in trouble for with the DoJ's antri-trust enforcement division in the 90s?
My experience was well after that.
1 reply →
So this is a lot like Microsoft using specialized formats or APIs in Windows that competitors cannot access, which was a problem throughout the 90s. The problem never went away - it has just changed appearance.
This is a little different than Office being able to use some useful OS integration feature that LibreOffice can't use.
This is allowing Google to do something TO you that no one else can do to you, and that you assumed no one could do to you.
> So, Google Chrome gives all *.google.com sites full access to system / tab CPU usage, GPU usage, and memory usage. It also gives access to detailed processor information, and provides a logging backchannel.
So I guess the question becomes how quickly you can spoof this ?
Wouldn't you be able to deploy an app script website, which is hosted on "script.google.com" and make use of this?
your code do not run from that domain at all.
2 replies →
Does Chrome do certificate pinning checking in this case?
1 reply →
If you mean can another domain trick Chrome into letting it access those APIs… probably not; it seems it’s based on the browser extension architecture which is already somewhat hardened and I believe doesn’t even load the code for the extension if you’re not on a matching domain (though the typical protection goes the other way around — preventing extensions from accessing website data without permission).
It seems bad enough that Google has access to it to justify ripping it out.
You just need to "register" a subdomain. So basically any google employee has potentially full access to your system?
You’re likely severely underestimating the amount of internal paperwork and review that is required to launch a new google.com subdomain.
13 replies →
Or anyone who controls your DNS resolution which has a number of paths (for example a local hosts file, possibly a router, changing your config or how you get your config to a malicious DNS server, etc)
5 replies →
In what world does "system / tab CPU usage, GPU usage, and memory usage" mean "full access to the system"? Any Chrome extension can access this info easily, the point that the tweet makes is that there's a built-in Chrome extension that shares this info with Google's own websites without any confirmation.
What about anything on sites.google.com?
Is it really that easy? I just kind of assumed that devs could create subdomains under a dev TLD like googdev123.com, but not google.com until it was a fully-fledged product release.
3 replies →
> full access to your system
Only to leak your CPU/GPU utilization though as far as I understand it. Those can also be exposed in other ways by legitimate JS/WebGPU by measuring/profiling shader runs/etc.
Drive.google.com links also work
If you could spoof google.com you have much bigger fish to fry.
Pretty much impossible, would need to defeat https/ct. You would have to spoof *.google.com within chrome.
So if you install your own certificate authority and then spoof the DNS it might be possible? Not so useful as an attack vector, but potentially useful for people who want to do fun things with the browsers they own.
4 replies →
Don't have to spoof it - just put something on Google Docs and send people a link.
Google Docs is designed to not let you run arbitrary JS in a trusted (i.e. google.com origin) context, or else the author of any doc you visit could act as you on Google properties.
This kind of thing is common, there was a file called tweaks.cpp which had a list of domains that had slightly different behaviours.
That file was very telling to be honest and was well commenter. Firefox has a similar file.
Firefox’s website “interventions” are documented on Firefox’s about:compat page. Each intervention has a link to more information about the website issue it’s fixing and a button to turn it off.
You can build Chrome without this by setting `enable_hangout_services_extension` to false. Of course, then none of the WebRTC stuff on google.com will work.
No WebRTC would be a win, but people can just use firefox and disable WebRTC globally.
i just want to know if this is built into arc to be honest.
One does not simply "build chrome".
Chromium has ungoogled builds: https://chromium.woolyss.com/
2 replies →
The process is well documented :-)
6 replies →
Is it fair to assume this is used for fingerprinting/tracking users?
The tweet says:
> So, Google Chrome gives all *.google.com sites full access to system / tab CPU usage, GPU usage, and memory usage. It also gives access to detailed processor information, and provides a logging backchannel.
Those things can absolutely be used to "improve" fingerprinting. I don't think it's fair to assume it's being used for that though, without any further evidence. But it certainly could be used for it.
Anyone have any further context? As it stands right now, it's just a random claim without any proof what so ever? There is link in another comment, but how is that related to the tweet?
> I don't think it's fair to assume it's being used for that though, without any further evidence.
Maybe in this situation we should distinguish "fair" vs. "probable".
I'd guess it's improbable that Google is trying to use this for fingerprinting.
But if we've previously found them with their hand in the cookie jar, then maybe it's fair to treat them as guilty until proven innocent?
Google doesn't need any extra help to track users who are browsing Google sites in the Google browser. It is probably instead anticompetitive functionality that lets Google sites work better in Chrome in ways that other sites can't replicate.
> Google doesn't need any extra help to track users who are browsing Google sites in the Google browser.
I would not be surprised if there are cases where this would let them track users they otherwise couldn't. Like someone running two isolated Chrome instances with separate network connections but on the same PC.
perhaps a measure to determine if the owners devices can tolerate one more web app or ad stream before it runs out of resources
[flagged]
this is a great comment, thank you for your service!
1 reply →
I stopped using Chrome as my primary & only browser. Too much power in one hand?
If you want to see what this does, navigate to https://www.google.com/ in Chrome and paste this into your DevTools console:
I got this:
This won't work on non-Google URLs.
I'm glad that, at least, CPU ID isn't part of that.
Actually, do modern Macs even allow normal software to discover the CPU ID?
If it's really accessible from *.google.com, wouldn't this be simple to verify/exploit by using Google Sites (they publish your site to sites.google.com/view/<sitename>)?
JS on Google Sites, Apps Script, etc. runs on *.googleusercontent.com, otherwise cookie-stealing XSS happens.
And this is why we should all boycott Chromium based browsers.
It's turning (and mostly has already turned) into the new Internet Explorer.
Use Safari or Firefox, or any other browser that's not based on Chromium.
Google spent billions muscling their way into their majority market share of web browsers, now they're going to keep on cashing out with unfair practices like these.
If you’re still using Chrome in 2024, you’re a fool.
[dead]
Last time I used Google Chrome, if you logged into a Google account while using Chrome, it automatically logged you into that Google account in the browser itself.
Isn't that implemented in a similar way to this?
I agree with the concerns about unfair competition, and I think this auto-login "feature" could also qualify as an example.
Thread reader: https://twitter-thread.com/t/1810696257137959018
Isn't Google chrome open source?
It should be possible to point to the source code of whatever google.com extensions that may exist.
Or is this only available in the packaged distributions of Chrome?
https://chromium.googlesource.com/chromium/src.git
I think there are a few bits and pieces which may not be open source, such as those for DRM.
Is there more of an explanation? I see a baseless claim without any specificity.
I'm not saying it's right/wrong, just that no evidence was presented.
Chrome extensions can access CPU and GPU statistics via a public API that any extension developer can use. Google Chrome comes bundled with a hidden "Hangouts Services" extension, which has permissions for *.google.com (that extension's ID is the 'nkeimhogjdpnpccoofpliimaahmaaome' referenced in the examples). That extension has a function that will return those stats when called from JavaScript running on a webpage. As a result, any JavaScript running on *.google.com can get the current CPU and GPU utilization.
Hmm. I'm going to go ahead and blame twitter here. I don't see any additional links in the tweet or anything.
1 reply →
There is a link pointing out the exact place in Chrome's code.
through this, at least it is now fairly well known that chrome is able to share detailed hardware details to a website.
now, is it bad that it is being done at all or that only google.com host requests can access it?
personally i see the value during debugging but having it forced enabled this way (also for only one company) is not great and should be remedied.
This API either shouldn’t exist or should be Google only. It would be an absolute disaster if everyone had access to it.
Is it not Google only?
It's an API that is available to extension developers. The wrinkle here is that Google bundles a hidden "Hangouts Services" extension in Chrome with permissions for *.google.com (the extension's ID is the "nkeimhogjdpnpccoofpliimaahmaaome" referenced in the examples).
There's been proposals in the thread calling for it to be opened. I also saw one on Twitter calling for it to be opened under the DMA.
It's like Google relishes in giving the FTC all the help it could ever want.
Google really needs to be broken up. Into 5 or 6 totally independent pieces.
I can hear the regulators in Strasbourg typing up complaints and fines now.
Wonder if Edge renames this to *.microsoft.com or bing.com.
Probably not. It's part of a bundled extension used to support Google Hangouts.
I wonder how Chromium, Brave or Edge handle this?
Its in the chromium repo:
https://source.chromium.org/chromium/chromium/src/+/main:chr...
https://source.chromium.org/chromium/chromium/src/+/main:chr...
You also could probably block this with a policy file.
The extension ID is: nkeimhogjdpnpccoofpliimaahmaaome
https://chromeenterprise.google/policies/?policy=ExtensionIn...
Is this how they implement features like pinning a live game score in your phone from the browser? I always wondered how they do that.
And? Google uses Chrome to retrieve data about the user.
Every Chromium-based browser has 'hidden' APIs only accessible on certain domains. That's how the custom (read: closed source) extensions work. "Component extensions" are used to interact with them normally: https://chromium.googlesource.com/chromium/src/+/main/extens...
See https://blogs.opera.com/security/2021/09/8000-bug-bounty-hig... and https://blogs.opera.com/security/2021/09/bug-bounty-guest-po... for examples of when there are vulnerabilities in those extensions, and how they can be abused for remote code execution.
Any whitelisted domains for these APIs cannot be written to using user-installed extensions, in order for a malicious extension to not be able to inject a script and execute the special API.
At Opera, we previously tried attacking the underlying implementation about how these 'hidden' APIs are accessible. Although we found a lot of Opera-specific issues, the Chromium logic seems sound and a "bypass" for other websites accessing the API is unlikely. It also seems that the developer here was just a bit overzealous in allowing this API to be accessed from all google.com subdomains.
technically correct. google chrome should forever be called "Tainted Chromium" to use the same nomenclature as the Linux Kernel when you load blobs.
Hm, I guess it's good I have a firewall?
How does that help?
You could block *.google.com
1 reply →
bot detection?
For anyone having trouble with the logic here, which seems like a lot of people in this thread for some reason:
[Google's browser] comes with [code] that [does things] in a default installation of [Google's browser] that [Google's competitors] can't do in a default installation of [Google's browser].
Didn't you leave out that [Google's browser] allows [Google's websites] to do things [other websites] cannot?
Ostensibly [Google's websites] are websites like any other, but [Google's browser] treats them differently. IIRC Mozilla does similar things for addons.mozilla.org, but googles seem more broad since they are not as clearly linked to browser functionality.
We’re saying the same thing. There are some who believe this is okay. But it is clearly monopolistic behaviour that should be regulated.
1 reply →
I don't have a problem with the logic, I'm just not sure why I should care. I imagine Edge probably can do magic stuff on microsoft sites that it can't on the rest of the web too. It makes sense for the browser to have a higher level of trust for the company that makes it than it does for the wider web.
There was massive antitrust lawsuit about behavior like this, when browses where new.
2 replies →
Some people remember when the government went after Microsoft for having secret APIs that only IE could use.
... but other people remember that in the time since, that entire Microsoft monopoly fiasco is held up as an example of bad prosecution, and we don't go after companies like that anymore.
3 replies →
[does relatively innocuous, relatively boring things]
That only Google can do, which makes competing with them harder. This isn't difficult to understand.
4 replies →
Like [slowing Youtube down] on [Firefox] [0].
[0]: https://www.zdnet.com/article/youtube-is-slowing-video-loads...
1 reply →
Can you elaborate?
Is it just Google's competitors, or it is everyone?
People arguing that this is "just extension" are ignoring the fact that extensions have special priviledges compared to websites, and you would not want all websites to have the full power of arbitrary extension.
If it's "just extension", make it available to all domains.
The primary "special privilege" is that the extension is shipped with the browser and hidden. The API itself is available to any extension developer.
https://developer.chrome.com/docs/extensions/reference/api/s...
This just in: Google Spyware has features accessible only to Google.
[flagged]
[flagged]
[flagged]
login-walled
What has an hidden API where? I have no idea what this is trying to say. Can anyone make sense of it?
If correct, once you access a `.google.com` website, the browser makes available through javascript an API allowing the querying of a lot of information about all the open tabs (if open, for example, your banking website) and can send the collected information to the "mother ship".
If true, as usually, a lot of people have a Google tab open, you can easily deduct what it means.
This is definitely something to be investigated, for the moment, we only have a tweet.
> an API allowing the querying of a lot of information about all the open tabs (if open, for example, your banking website)
No. It uses the chrome.system.cpu API, that any extension can access, which gives CPU and RAM utilization info about your tabs. It doesn't give anyone "a lot of information about all the open tabs", and does nothing to expose your banking website...
https://developer.chrome.com/docs/extensions/reference/api/s...
https://source.chromium.org/chromium/chromium/src/+/main:chr...
That API is baked into Google Chrome. It's hardcoded to only let google.com use it.
I don't think that is an accurate description. The APIs are available in Chrome to anyone: https://developer.chrome.com/docs/extensions/reference/api/s...
The allowlisting going on here is that normally when you install an extension in Chrome it asks you to confirm the access to those APIs on the sites where the extension wants to run, but this one comes pre-confirmed from the factory. A quick GitHub search finds ~1000 manifest files that list system.cpu, possibly because that API is also in the boilerplate example chrome extension manifest.
5 replies →
That is the source code of Chromium, not Chrome.
Websites hosted on the google.com domain can access more data about the device than websites hosted on any other domain.
Google allows web pages from *.google.com to read a user's cpu usage, gpu usage, etc.
Other web pages don't have such access.
That was one reason I don't use Chrome. They clearly do special stuff on their sites. And spyware is guaranteed with chrome
So the concern is that Google is making Hangouts better in a way that is hard for competitors to replicate? (And by "hard," I mean, "competitors have to ask users to install something," not hard in any HN-relevant sense of the word.) This forum sure has a lot of wanna-be Handicapper Generals. https://en.wikipedia.org/wiki/Harrison_Bergeron
If it's easy for users to just install the extension, then obviously there's no point in Google doing this in the first place. The fact that they bothered sounds like a pretty compelling argument for it being worth caring about.
Worth caring about why?? Because you think Google shouldn’t be allowed to make things better for their users? Like I said, you are so concerned about fairness you’re missing the point.
3 replies →