使用Chrome扩展程序注入javascript这么容易吗?
[英]Should it be so easy to inject javascript with a Chrome extension?
问题描述
As part of a security test, I have built a very basic Chrome extension with the purpose of being able to read secure cookies, as well as localStorage data. 
作为安全测试的一部分,我构建了一个非常基本的Chrome扩展程序,目的是能够读取安全的cookie以及localStorage数据。 I managed to get this to work, which itself is a pretty bad thing, however, when building I used the following line: 我设法使它起作用,这本身是一件很糟糕的事情,但是,在构建时,我使用了以下代码:
chrome.tabs.executeScript(tabs[0].id, {code: '...'});
Now, from my understanding of this , this line of code will actually allow you to execute any javascript on the page, provided the user has agreed to the permissions of course. 现在,根据我的理解 ,只要用户同意了权限,这行代码实际上将允许您执行页面上的所有javascript。
With this, even with a CSP header on, anyone could quite easily create an extension to do what I have done above. 这样,即使启用了CSP标头,任何人都可以很容易地创建扩展来完成我上面所做的事情。
Should it be that easy to inject Javascript onto a webpage using an extension? 使用扩展名将Javascript注入网页是否容易吗? Surely not!? 当然不是!?
Bear in mind, I have the extension running in developer mode on my machine, and have not published it to the Chrome store, but I haven't seen anything in regards to extensions being approved, just that they are approved and live immediately. 请记住,我的扩展程序已在我的计算机上以开发人员模式运行,并且尚未将其发布到Chrome商店中,但是我没有看到有关扩展程序被批准的任何信息,只是它们已被批准并可以立即使用。
In case that it is possible by design for this to happen, are there any ways to prevent things like this happening? 如果设计使之有可能发生,是否有任何方法可以防止这种情况发生? Are there any CSP headers etc. that can help prevent this? 是否有任何CSP标头等可以帮助防止这种情况?
Many thanks all 非常感谢大家
1 个解决方案
解决方案1
2 已采纳 2018-01-22 10:57:13
As mentioned by Chirag Ranvindra in a comment: 正如Chirag Ranvindra在评论中提到的那样:
browser extensions usually bypass all security features set on normal websites
Google states that users install Google Chrome Extensions at their own risk , which is the case for most software that allows plugins, addons, mods or the like. Google声明,用户需要自行承担安装Google Chrome扩展程序的风险 ,对于大多数允许使用插件,插件,mod或类似内容的软件,情况是如此。
To reduce the chance of a user installing an extension that is a potential risk, there are several warnings to the user, such as the requested permission before installing, reminders that "Developer" extensions can be a security risk, and as part of their Terms and Conditions, can and do deactivate extensions that violate their Extension Guidelines. 为了减少用户安装具有潜在风险的扩展程序的机会,会向用户发出几条警告,例如安装前要求的权限,提醒“开发人员”扩展程序可能会带来安全风险,并作为其条款的一部分。和条件,可以并且确实停用违反其扩展指南的扩展。
Refer to The Google Chrome Terms and Conditions , specifically "20. Additional Terms for Extensions for Google Chrome". 请参阅Google Chrome条款 ,特别是“ 20. Google Chrome扩展的附加条款”。
As with any program you download, you should seriously consider if it's necessary to install, and if it's from a reputable developer. 与下载的任何程序一样,您应认真考虑是否有必要安装,以及是否来自著名的开发人员。 I'd recommend only installing extensions through the Official Google Chrome Extensions Webstore 我建议仅通过Google Chrome扩展程序官方网站商店安装扩展程序
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.