I came face to face with “The Man” recently, and lost hopelessly.
You see, I spent two weekends working on a relatively basic Chrome Extension that I find useful in my day job; I often have to test a Web App Firewall, and usually you need to simulate traffic from multiple different source clients. The easiest way to do this for HTTP is to use the X-Forwarded-For (XFF) header, and configure your WAF to trust it. So, I thought, If i made an extension to automatically switch the XFF header, it would take some tedium out of this process.
I spent a bit of time on the Eloquent Javascript and the Chrome Developer Documentation, and over two weekends, came up with a slightly configurable and reasonably usable extension that allows you to inject XFF header into requests to a target server you configure. I called it “x-cycle“.
Feeling proud of my accomplishment, I push this to the Chrome Store as a Developer Tool (paid a $5 verification fee in the process).
I spend the next 12 hours eagerly searching for my extension in the Chrome Web Store, hoping that my first ever extension would show up. After frustration with not finding it, I decide to go to my Chrome Developer Dashboard and check. “At least one of your items has been removed from the store because it did not comply with our policies or terms of service.” Huh? No email, no notification, and no specification of which terms I have violated, and very little I can do about it.
Nobody will get to use my extension, unless I distribute it manually, and Chrome already makes it near impossible to distribute an extension outside of the Chrome Store, so, I won’t get much traction there, regardless of how much I think people with my kind of job would find this tool useful.
I understand more vividly why walled gardens can be a problem. Previously, I have always preferred Android to iOS because I felt like Google didn’t do too much to dictate what kind of software I can use on my phone compared to Apple, but looking at Chrome, it seems like I never considered the fact that Chrome has become a walled Garden, and one that badly needs to improve its engagement at that.
If you take down someone’s work, you need to at least explain why, so that they can work on resolving it. I get the distinct feeling that some Reviewer just saw “X-Forwarded-For”, googled it, and saw it as a way to “mask” your IP address, and thought “Oh No! Hacking Tool!!” and took it down. This would be a real shame.
Any experienced web admin knows that you don’t trust X-Forwarded-For, unless it was set by a device that you control, thus there is limited scope for abuse of this extension, even for people who are intent on mischief. The policy for trusting XFF is that you strip whatever you received, and then inject the value that you are going to trust. Someone who tests a WAF is both in control of the client and the web-server, and can configure it to trust this header, and this is what makes this extension useful in my view.
I have submitted a support ticket to some Google Support service that took some Googling to find hoping I would get back a more actionable response whenever they do get round to it.
Until then, twiddling thumbs and wondering whether the “open” web we so proudly proclaim is not really just a walled garden with tremendous power in the hands of the people who make web browsers. It is probably little wonder then that practically all browsers are free of charge; they trade the cost for the users, which in turn amplify the power of the browser vendor. They can then hold advertisers, publishers and developers to ransom. Hmmm.