Install Chrome extensions

Google Chrome extensions are small software programs that can modify and enhance the functionality of Google Chrome.

You can download Google Chrome extensions from the extensions gallery. Alternatively, to learn how to create your own extensions, see Google Chrome Extensions.

Force-installing an extension can be done in one of three ways: via group policy, the registry, or via master_preferences.

Force-installing via group policy

Using policy to deploy an extension or Chrome web app is the easiest and most scalable method. This is the recommended method for pushing extensions, as it does not require the CRX file to be on the machine. It must simply be available at a given URL.

To use this method, set the policy to "force install" the extension, as described here.

Force-installing via master_preferences

Force-installed extensions are added to the master_preferences file that lives next to chrome.exe. This means that the CRX file can live anywhere, and the bits don't need to live on the target user's machine and don't need to be packaged into any installation script.

If you're not familiar with the master_preferences file or how it works, see configuring preferences.

There are some requirements to using this method:

  • This method only works if the user has access to the public extension gallery or another URL where the CRX file is kept. As such, this method might not work if the user is behind a corporate firewall or proxy that restricts access to the gallery.

  • This method generally only works on new installs. Making it work with an existing install is cumbersome and requires a lot of clean-up steps.

To force-install an extension via master_preferences:

  1. Find the CRX file you want to install. Download it from the gallery, or create and package your own.

  2. Open up the CRX with a zip program and find the manifest.json file (it's just a text file). This contains many values you will need.

  3. Set up your master_preferences with values from the manifest.json file.

Here's an example master_preferences, which force-installs the Google Reader extension:


{
 "homepage" : "http://dev.chromium.org",
 "homepage_is_newtabpage" : true,
 "extensions": {
    "settings": {
       "apflmjolhbonpkbkooiamcnenbmbjcbf": {
          "location": 1,
          "manifest": {
             "key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC5cK3ybDkh173plsjDX
              oqUzvsjFRMtbc5+a8HR6dxYBETeXQ7GOR5/xYnsY2R4smo5ly4yUK69iF7rnPNH+
              X97K7e7JFbuH5W/ZRc8YaIG66oJ9JwKZagSOZasSJPWNz4f1GdaHD1Z4KRucvOYx
              saPVdwS2W3nbG6i3oQFaio+JQIDAQAB",
             "name": "Google Reader Notifier (Installing...)",
             "permissions": [ "tabs", "http://www.google.com/" ],
             "update_url": "http://clients2.google.com/service/update2/crx",
             "version": "0.0"
          },
          "path": "apflmjolhbonpkbkooiamcnenbmbjcbf\\0.0",
          "state": 1
       }
    }
  }
}

Here's a breakdown of the lines in this master_preferences file:

  • Under settings, the first value is the hash of the extension ("apflmjolhbonpkbkooiamcnenbmbjcbf"). You get this by packaging up the CRX file, and is also the extension's identifier in the gallery.
  • "location" must always be 1.
  • The "manifest" section must contain "key", "name", "permissions", "update_url", and "version". These can come from the extension's manifest.
  • The "key" value comes from the packaged extension, just like the hash. If you look at an unzipped CRX file, you'll find the "key" in manifest.json.
  • "name" can be anything, although having a temporary tag (i.e. "(Installing...)") will help users understand why an extension is taking an extra bit of time to load.
  • "permissions" must be the same as the permissions in the extension CRX file at "update_url", or the user will see lots of warnings and it won't load. So, you can't specify and empty permissions array, and the real extension requires lots of permissions -- that would hide escalating privilege.
  • "update_url" is the URL where the CRX lives. Again, this is in the manifest.json file.
  • "version" should always be "0.0".
  • "path" should always be the extension's hash followed by "\\0.0".
  • "state" should always be 1.
  • If any of these rules are broken, the extension might not load or the user might see a warning.

Important: If the extension contains content scripts that need permissions, they must be listed in the master_preferences as well. Here's an example:


{
 "extensions": {
    "settings": {
       "apflmjolhbonpkbkooiamcnenbmbjcbf": {
          "location": 1,
          "manifest": {
              "content_scripts": [ {
                "all_frames": true,
                "js": [ "script.js" ],
                "matches": [ "http://*/*", "https://*/*" ],
                "run_at": "document_start"
              } ],
             "key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC5cK3ybDkh173plsjDX
             oqUzvsjFRMtbc5+a8HR6dxYBETeXQ7GOR5/xYnsY2R4smo5ly4yUK69iF7rnPNH+X
             97K7e7JFbuH5W/ZRc8YaIG66oJ9JwKZagSOZasSJPWNz4f1GdaHD1Z4KRucvOYxsa
             PVdwS2W3nbG6i3oQFaio+JQIDAQAB",
             "name": "Google Reader Notifier (Installing...)",
              ...
If the extension has content scripts that need permissions / access, and you do not specify it here, the extension will not load.

You can pre-load multiple extensions. Adding an additional extension is as easy as adding another block under "settings":


{
 "extensions": {
    "settings": {
       "apflmjolhbonpkbkooiamcnenbmbjcbf": {  <-- extension one
          "location": 1,
          "manifest": {
              ...
          }
        },
       "oaiwevnmzvoinziufeuibyfnzwevmiiw": {  <-- extension two
         "location": 1,
         "manifest": {
           ...
       },
       ...
     }
   }
}

If the extension has any permissions that require user approval, you also need to include a granted_permissions section:


{
  "extensions": {
    "settings": {
      "mihcahmgecmbnbcchbopgniflfhgnkff": {
        "location": 1,
        "manifest": {
          ...
        },
        "granted_permissions": {
          "api": [ "tabs" ],
          "explicit_host": [ "http://*.google.com/*", "https://*.google.com/" ],
          "scriptable_host": [ "http://example.com/" ]
        },
        ...
      },
      ...
    }
  }
}

If you don't include a granted_permissions section, Chrome immediately disables the extension. The granted_permissions field has the following subfields:

  • "api" contains API permissions in the "permissions" key of the manifest
  • "explicit_host" contains any host permissions in the "permissions" key of the manifest
  • "scriptable_host" should be set to any hosts in the extension's content scripts

The easiest way to generate the granted_permissions field is to install the extension locally and then copy the extension's granted_permissions from the Preferences file of your Chrome profile.