stackoom
  简体   繁体   中英

Can web applications be secured against browser extensions?

 原文  2019-10-16 17:34:51       javascript/ security/ google-chrome-extension

Question

It seems there are a vast number of browser extensions that exhibit malicious behavior. Additionally, even valid extensions could suffer from security vulnerabilities that make them behave maliciously.

One way to avoid this problem is to package your web application with a platform like NWJS, Electron, or similar. This has the advantage of removing the extension ecosystem, but also suffers from a number of drawbacks (installation process, more resource consumption, increased labor, and more).

Some have argued that " In the end it's the user's responsibility, not the website's fault that the user is compromised ". While that makes a good point, those of us responsible for software that manages sensitive data still have a duty to protect.

When writing a web application that will access sensitive data, is there anything that can be done to secure against browser extensions?

Edit: Any creative solutions to this problem would be great. Alternatively, a confirmed negative would also be welcome. Some trails of thought that extend from this question:

  • Can the window object be protected or somehow made private?
  • Are there any restrictions to an extension's JavaScript that loads before the page that could be used to the web application's advantage?
  • Can a companion extension detect other extensions and then communicate to the web application that it is unsafe to run? Or at least notify the user of the potential for abuse?
  • Are extension background scripts also injected into iframes and child windows create by calling window.open? Perhaps the web application would replace the window object with different safe copy of a window object.
  • Might there be some clever way to detect if third-party code has been run on the page? A sort of "hash" of the JavaScript environment?

1 answers

solution1
 0  2019-10-18 16:25:58

There's a (primitive) solution to detect user extensions installed on the browser, from there I guess you can deny the access to your web application until the user uninstalls these extensions. It consists in a small database of assets (icons), if the javascript can find these assets, it means the extension is installed.

CONS: You can't detect if the extensions are running, therefore if the user disables them that won't be detected and you will still get a positive.

The code is in this link:

Can a Website detect what browser extensions are being used?

Post with users feeding this database with more assets:

https://blog.jeremiahgrossman.com/2006/08/i-know-what-youve-got-firefox.html

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How can I force browser extensions/plugins to be inactive inside in my web app? Creating Desktop applications that run on web browser Can browser extensions keylog user input? How can the authentication be implemented for RESTful web applications? Can browser extensions overwrite CSS media features/query? Embedding a Secured Grafana into Web Application Can the Web NFC api be used in Progressive Web Applications? Testing browser extensions Browser extensions detect install Browser warning about non secured resources
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM