stackoom
  简体   繁体   中英

Should it be so easy to inject javascript with a Chrome extension?

 原文  2018-01-22 10:47:27       javascript/ google-chrome/ google-chrome-extension/ content-security-policy/ websecurity

Question

As part of a security test, I have built a very basic Chrome extension with the purpose of being able to read secure cookies, as well as localStorage data. I managed to get this to work, which itself is a pretty bad thing, however, when building I used the following line:

chrome.tabs.executeScript(tabs[0].id, {code: '...'});

Now, from my understanding of this , this line of code will actually allow you to execute any javascript on the page, provided the user has agreed to the permissions of course.

With this, even with a CSP header on, anyone could quite easily create an extension to do what I have done above.

Should it be that easy to inject Javascript onto a webpage using an extension? Surely not!?

Bear in mind, I have the extension running in developer mode on my machine, and have not published it to the Chrome store, but I haven't seen anything in regards to extensions being approved, just that they are approved and live immediately.

In case that it is possible by design for this to happen, are there any ways to prevent things like this happening? Are there any CSP headers etc. that can help prevent this?

Many thanks all

1 answers

solution1
 2 ACCPTED  2018-01-22 10:57:13

As mentioned by Chirag Ranvindra in a comment:

browser extensions usually bypass all security features set on normal websites

Google states that users install Google Chrome Extensions at their own risk , which is the case for most software that allows plugins, addons, mods or the like.

To reduce the chance of a user installing an extension that is a potential risk, there are several warnings to the user, such as the requested permission before installing, reminders that "Developer" extensions can be a security risk, and as part of their Terms and Conditions, can and do deactivate extensions that violate their Extension Guidelines.

Refer to The Google Chrome Terms and Conditions , specifically "20. Additional Terms for Extensions for Google Chrome".

As with any program you download, you should seriously consider if it's necessary to install, and if it's from a reputable developer. I'd recommend only installing extensions through the Official Google Chrome Extensions Webstore

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Chrome Extension - Inject Javascript not working Inject javascript in an iframe using chrome extension How to inject lots of Javascript files into CHROME EXTENSION? Chrome extension inject js Inject CSS for chrome extension Inject image in Chrome extension? Chrome Extension: How do I inject CSS and Javascript into a certain URL? Chrome Extension: Possible to Inject External JavaScript in Secured Pages? Inject javascript using chrome extension…it doesn't work chrome extension inject javascript at top of head before any other js
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM