能否保护 web 应用程序免受浏览器扩展的影响?
[英]Can web applications be secured against browser extensions?
问题描述
It seems there are a vast number of browser extensions that exhibit malicious behavior.
似乎有大量浏览器扩展表现出恶意行为。 Additionally, even valid extensions could suffer from security vulnerabilities that make them behave maliciously.此外,即使是有效的扩展也可能会受到安全漏洞的影响,从而使其表现出恶意。
One way to avoid this problem is to package your web application with a platform like NWJS, Electron, or similar.避免此问题的一种方法是使用诸如 NWJS、Electron 或类似平台的 web 应用程序 package。 This has the advantage of removing the extension ecosystem, but also suffers from a number of drawbacks (installation process, more resource consumption, increased labor, and more).这具有消除扩展生态系统的优势,但也存在许多缺点(安装过程、更多的资源消耗、增加的劳动力等)。
Some have argued that " In the end it's the user's responsibility, not the website's fault that the user is compromised ".有人辩称,“最终用户受到损害是用户的责任,而不是网站的错”。 While that makes a good point, those of us responsible for software that manages sensitive data still have a duty to protect.虽然这是一个很好的观点,但我们这些负责管理敏感数据的软件的人仍然有责任保护。
When writing a web application that will access sensitive data, is there anything that can be done to secure against browser extensions?在编写将访问敏感数据的 web 应用程序时,是否可以采取任何措施来防止浏览器扩展?
Edit: Any creative solutions to this problem would be great.编辑:这个问题的任何创造性解决方案都会很棒。 Alternatively, a confirmed negative would also be welcome.或者,也欢迎确认的否定。 Some trails of thought that extend from this question:从这个问题延伸出来的一些想法:
- Can the window object be protected or somehow made private? window object 是否可以受到保护或以某种方式设为私有?
- Are there any restrictions to an extension's JavaScript that loads before the page that could be used to the web application's advantage?在可用于 web 应用程序优势的页面之前加载的扩展 JavaScript 是否有任何限制?
- Can a companion extension detect other extensions and then communicate to the web application that it is unsafe to run?伴随扩展是否可以检测到其他扩展,然后与 web 应用程序进行通信,表明运行不安全? Or at least notify the user of the potential for abuse?或者至少通知用户滥用的可能性?
- Are extension background scripts also injected into iframes and child windows create by calling window.open?扩展后台脚本是否也注入到 iframe 和子 windows 通过调用 window.open 创建? Perhaps the web application would replace the window object with different safe copy of a window object. Perhaps the web application would replace the window object with different safe copy of a window object.
- Might there be some clever way to detect if third-party code has been run on the page?是否有一些聪明的方法来检测页面上是否运行了第三方代码? A sort of "hash" of the JavaScript environment? JavaScript 环境的一种“哈希”?
1 个解决方案
解决方案1
0 2019-10-18 16:25:58
There's a (primitive) solution to detect user extensions installed on the browser, from there I guess you can deny the access to your web application until the user uninstalls these extensions.有一个(原始)解决方案可以检测浏览器上安装的用户扩展,从那里我猜您可以拒绝访问您的 web 应用程序,直到用户卸载这些扩展。 It consists in a small database of assets (icons), if the javascript can find these assets, it means the extension is installed.它包含在一个小型资产(图标)数据库中,如果 javascript 可以找到这些资产,则表示已安装扩展。
CONS: You can't detect if the extensions are running, therefore if the user disables them that won't be detected and you will still get a positive.缺点:您无法检测扩展程序是否正在运行,因此如果用户禁用它们将不会被检测到,您仍然会得到肯定的结果。
The code is in this link:代码在这个链接中:
Can a Website detect what browser extensions are being used? 网站能否检测到正在使用哪些浏览器扩展?
Post with users feeding this database with more assets:发布用户为该数据库提供更多资产的信息:
https://blog.jeremiahgrossman.com/2006/08/i-know-what-youve-got-firefox.html https://blog.jeremiahgrossman.com/2006/08/i-know-what-youve-got-firefox.html
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.