- Browser Extension Distribution Scenarios
- Google Admin References
- Setting the Installation Policy in the Google Admin Console
- Requiring an Extension Link
- Pre-Approving Access to Hosts/Origins
- Requiring a PixieBrix Version
- PixieBrix Chrome Extension Details
- Frequently Asked Questions (FAQs)
- What browser permissions does PixieBrix's extension require?
- Could you explain your CRXcavator Extension Risk Report?
Browser Extension Distribution Scenarios
There are two approaches to distributing the the PixieBrix Browser Extension within your organization:
- Installation from Chrome Web Store. Add the PixieBrix extension to Chrome's “Allow List” so that each team member can individually install PixieBrix browser extension. Your team members will follow the instructions at Installing from the Chrome Web Store
- Automatic Installation. Add PixieBrix to Chrome's list of "Force Install" extensions to have Chrome automatically install the browser extension on team member's browsers. Your team members will follow the instructions at Completing Automatic Installation
Google Admin References
Refer to the Google documentation for how your organization manages access to Chrome Browser Extensions:
- Google Chrome Enterprise Help: Managing Extensions in your Enterprise
- Set Chrome policies for users or browsers
Setting the Installation Policy in the Google Admin Console
You can use the Google Admin Console to install the PixieBrix Chrome Browser Extension on all managed accounts, or allow installing it if extensions are blocked by default. On the Google Admin console, the page used for configuring extensions is under Devices > Chrome > Apps & Extensions > User & Browsers
Select the Organization Unit to apply the policy
Click the yellow +
button in the bottom right to add an extension, and click “Add Chrome App or Extension by ID”:
Enter the PixieBrix Chrome Web Store Extension ID mpjjildhmpddojocokjkgmlkkkfjnepo
and click Save to add PixieBrix
Click the Installation Policy to change the default installation policy:
- Force install + pin to browser toolbar
- Force install
- Allow install
After saving, the extension will be installed for any accounts set to have it installed to if you chose to Force install.
Requiring an Extension Link
By default, on installation, the PixieBrix extension prompts the team member to link the extension to a PixieBrix account. However, if the team member closes the extension, PixieBrix will not prompt them to link the extension again.
To require a team member to link the extension to a PixieBrix account, PixieBrix supports using Chrome’s Managed Policy feature to associate an extension installed with your organization. As part of the PixieBrix heartbeat every 5min., PixieBrix will check if it’s unlinked and prompt the user to link their extension.
To verify that Chrome is reading the managed policy, navigate to chrome://policy
in your Chrome browser
If you have the PixieBrix extension installed (v1.5.10 or higher), you’ll see the policy value you’ve provided. For example:
Windows
On Window, use the registry to set the managedOrganizationId
property for the extension:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\3rdparty\extensions\mpjjildhmpddojocokjkgmlkkkfjnepo\policy
The type of the managedOrganizationId key should be REG_SZ (a string) and provide the UUID for your organization.
Pre-Approving Access to Hosts/Origins
The pre-approve hostnames for modification/API calls, use the runtime_allowed_hosts
setting. See Configure ExtensionSettings policy for more information.
Providing origins allows PixieBrix to activate deployments targeting those hosts without prompting the team member to accept permissions.
The setting supports supports wildcard sub-domains, but not paths. For example:
https://*.example.com
https://www.example.com
Requiring a PixieBrix Version
To pin a force install the PixieBrix Browser Extension to a current/historic version, see the Pin Chrome app or extension updates documentation
PixieBrix Chrome Extension Details
- ID:
mpjjildhmpddojocokjkgmlkkkfjnepo
- Chrome Web Store URL
Frequently Asked Questions (FAQs)
What browser permissions does PixieBrix's extension require?
Could you explain your CRXcavator Extension Risk Report?
CRXcavator is a tool from Duo Security to automatically assess the risk of Browser Extensions. As an automated scanning tool, its results need to be put into context.
Relative Risk Scores of other Extensions
The PixieBrix extension is a leader compared to other enterprise automation extensions:
Permissions
See the Extension permissions section of our Privacy Policy for a full explanation of what permissions our extension requests and why.
The Chrome Web Store team reviews the extension with respect to the stated purpose of each permission.
The main permissions risks flagged by CRXcavator are:
*:
//*
/*
host permission. PixieBrix optionally includes support for running on any page/calling any API. However, before PixieBrix can run on a page or call an API, the user must first grant PixieBrix permission to access that origin. As an IT admin, you can set the Chrome Extension policy override this permission to allow/forbid certain originstabs
permission. PixieBrix must be able to monitor tab events for navigation and cross-tab messaging/automation. PixieBrix does not transmit/collect information about URLs
Content Security Policy (CSP)
The main CSP risks included in the CRXCavator score are:
- connect-src:
https:
. Required for PixieBrix to be able to be make API calls for integrations. The calls PixieBrix makes are subject to the host permission (see Permissions above) - frame-src:
https:
. Required to support embedding iframes in custom panels. - image-src:
https:
. Required to support embedding logos/images for theming and custom panels - script-src:
unsafe-eval:
. Required for dynamic page modification and templating. PixieBrix does not request external Javascript
External Communications
- ns.adobe.com: false positive, namespace of Adobe’s namespace for schemas
- github.com: false positive, included in package metadata