How to detect if a userscript is installed from the Chrome Store?

First, it is important to clarify that Tampermonkey scripts are typically managed and executed through the Tampermonkey extension, and the Tampermonkey extension itself does not directly provide an interface to determine if a script was installed from the Chrome Web Store. However, we can infer or detect this through some indirect methods.

Technical Approach

1. Checking the script's metadata: Each Tampermonkey script includes a metadata section, which typically contains information such as the script's source and version number. Although this section can be customized by the script author, if we require that scripts downloaded from the Chrome Web Store must include specific markers or links, we can determine if the script was installed from the Chrome Web Store by parsing this metadata.

javascript
// ==UserScript==
// @name         Example Script
// @namespace    http://tampermonkey.net/
// @version      0.1
// @description  Try it
// @author       Your Name
// @match        http://*/*
// @grant        none
// @fromStore    true
// ==/UserScript==

(function() {
    'use strict';

    if (GM_info.script.fromStore === 'true') {
        console.log('This script was installed from the Chrome Web Store');
    } else {
        console.log('This script was not installed from the Chrome Web Store');
    }
})();

2. Checking extension source using browser APIs: This method is more complex and requires the script to access browser extension APIs, such as the chrome.management API. Through this API, we can retrieve detailed information about all installed extensions, including their source. However, this typically requires users to grant additional permissions, and Tampermonkey scripts themselves restrict the use of some APIs.

3. Server-side verification: If you have control over the server, you can require all scripts installed from the Chrome Web Store to undergo server-side verification during installation, with the server recording the IDs of all verified scripts. Subsequently, the script can send requests to the server during execution to check if its ID is in the verification list.

Conclusion

Due to the high openness and customizability of Tampermonkey scripts, determining solely from the script itself whether it was installed from the Chrome Web Store can be challenging and uncertain. Typically, combining metadata markers with server-side verification is a relatively feasible approach. It is important to note that these methods can potentially be bypassed, so security and accuracy cannot be fully guaranteed. In practical applications, the most suitable method can be chosen based on specific circumstances.

First, we need to understand the technical differences between extensions installed from the Chrome Web Store and those installed from other sources.

1. Understanding the Background

Chrome extensions can be installed in various ways, such as directly from the Chrome Web Store or by loading unpacked extensions in developer mode. These installation methods can affect certain properties of the extension to some extent.

2. Chrome Extension ID

Every extension installed from the Chrome Web Store has a unique ID that remains constant throughout its lifecycle. For extensions loaded in developer mode, the ID is generated based on the absolute path of its file location, so it may change across different machines or different file paths.

3. Detection Methods

Within a Tampermonkey script, there is no direct method to detect whether an extension was installed from the Chrome Web Store, as scripts typically run in a sandboxed environment isolated from the extension's installation details. However, you can use indirect methods to infer this:

a. Check the Extension ID

If you can obtain the ID of the currently running extension in some way, you can verify whether this ID conforms to the Chrome Web Store ID format (typically a long string of random alphanumeric characters). This can be done by analyzing and comparing with known Chrome Store extension IDs.

b. Use Web Requests

You can attempt to send a request to https://chrome.google.com/webstore/detail/<extension-id> to see if it returns the extension's store page normally. If it returns a 404 or other errors, it is likely that the extension was not installed from the Chrome Web Store.

c. Analyze the Extension Manifest File

The extension's manifest file (manifest.json) may contain clues, such as the update URL (update_url). Extensions from the Chrome Web Store typically have update URLs pointing to Google.

4. Permissions and API Limitations

It is important to note that due to browser's same-origin policy and extension permission settings, directly accessing extension details (such as ID or manifest file) from a Tampermonkey script may be restricted. You may need to use APIs provided by the extension itself or collaborate with the extension author to achieve this functionality.

5. Example

Assuming we have permission to access the extension ID, we can write the following detection code:

javascript
// Assuming a known extension ID from the Chrome Web Store
const knownStoreExtensionId = "fhbjgbiflinjbdggehcddcbncdddomop";

// Get the current extension's ID
const currentExtensionId = chrome.runtime.id;

// Check for match
if (currentExtensionId === knownStoreExtensionId) {
  console.log("This extension was installed from the Chrome Web Store.");
} else {
  console.log("This extension may not have been installed from the Chrome Web Store.");
}

This method relies on being able to access chrome.runtime.id, which may not be feasible in some environments. In summary, detecting whether an extension was installed from the Chrome Web Store involves multiple technical challenges and requires selecting appropriate methods based on specific circumstances.