undefined | Better HN

0 pointsubercow135y ago0 comments

Why does that matter if the content script doesn’t have privileged access to anything itself?

0 comments

2 comments · 1 top-level

brabel5y ago· 1 in thread

Because one can monkey-patch any JS function used by the injected script, as the OP showed, to make the injected script do whatever it wants it to.

ubercow13OP5y ago

By one, you mean the website that the script is running on right? What's a possible attack vector there? I didn't understand how an attack might work from the example in the article.

If the domain of the site is checked by the browser extension outside the content process, injection of the password is initiated by the extension button not a button on the page itself so there is no API the content process has access to, and only the correct password for that domain is provided to the content script, what could the page do exactly that would be a security issue? The content process would just be responsible for receiving any password injected into the page and putting it in the righ place.

j / k navigate · click thread line to collapse