Check if user has a third party Chrome extension installed

Question

I am currently trying to detect if a user has a certain Chrome extension installed. The Chrome extension is not my own and I do not have the source code to it. I have tried methods in numerous posts but they all fail. What I've tried and why it failed is detailed below.

This results in 'cannot read property connect of undefined' when executed:

var myPort=chrome.extension.connect('idldbjenlmipmpigmfamdlfifkkeaplc', some_object_to_send_on_connect);

Trying to load a resource of the extension as follows to test if it's there but going to this URL in browser results in 'your file was not found' Chrome error page (note that I found this path by going to C:\Users\\AppData\Local\Google\Chrome\User Data\Default\Extensions\idldbjenlmipmpigmfamdlfifkkeaplc\1.0.0.1_0\ on my Windows local machine):

chrome-extension://idldbjenlmipmpigmfamdlfifkkeaplc/1.0.0.1_0/icon_16.png

Using Chrome management but this results in console error 'cannot read property get of undefined' when executed

chrome.management.get("idldbjenlmipmpigmfamdlfifkkeaplc", function(a){console.log(a);});

And most other answers I've come across seem to involve the extension being written by the same person who is trying to check for it.

Answer 1

Assuming you need it from a website

connect/message method implies that the extension specifically listed your website in the list of origins it expects connection from. This is unlikely unless you wrote this extension yourself, as this cannot be a wildcard domain.

Referring to files within the extension from web context will return 404 simulate a network error unless the extension declared them as web-accessible. This used to work before 2012, but Google closed that as a fingerprinting method - now extensions have to explicitly list resources that can be accessed. The extension you specifically mention doesn't list any files as web-accessible, so this route is closed as well.

chrome.management is an extension API; websites cannot use it at all.

Lastly, if an extension has a content script that somehow modifies the DOM of your webpage, you may detect those changes. But it's not very reliable, as content scripts can change their logic. Again, in your specific case the extension listens to a DOM event, but does not anyhow make clear the event is received - so this route is closed.

Note that, in general, you cannot determine that content script code runs alongside yours, as it runs in an isolated context.

All in all, there is no magic solution to that problem. The extension has to cooperate to be discoverable, and you cannot bypass that.

Assuming you need it from another extension

Origins whitelisted for connect/message method default to all extensions; however, for this to work the target extension needs to listen to onConnectExternal or onMessageExternal event, which is not common.

Web-accessible resources have the same restrictions for access from other extensions, so the situation is not better.

Observing a page for changes with your own content script is possible, but again there may be no observable ones and you cannot rely on those changes being always the same.

Similar to extension-webpage interaction, content scripts from different extensions run in isolated context, so it's not possible to directly "catch"code being run.

chrome.management API from an extension is the only surefire way to detect a 3rd party extension being installed, but note that it requires "management" permission with its scary warnings.