IMO the only question to ask for this API is, should it ever be public? I think the answer is no.
Hi,
This is a whitelisted API, meaning it is not available for use by any extension other than the Chrome Extension & Apps Developer Tool.
No
On Saturday, October 17, 2015 at 7:56:41 AM UTC-7, Adrienne Porter Felt wrote:No
How then could a security researcher A) build a 'passive' extension monitor for the public or B) build a local cluster to run all extensions and monitor them.For (A), I could use chrome.webRequest.onCompleted.addListener(..., <all_urls>) and check for a tabId of -1 but I still don't know which extension the traffic originated from. For (B), I tried chrome.debugger.attach() but it won't let me access a chrome-extension:// URL of different extension.
I could patch chrome and add my extensionId to the whitelist for activityLogPrivate. Instrumentation is a little out of my league but I suppose that's what the HULK academics did (http://www.icir.org/vern/papers/hulk-usesec14.pdf)
On Saturday, October 17, 2015 at 7:56:41 AM UTC-7, Adrienne Porter Felt wrote:
NoHow then could a security researcher A) build a 'passive' extension monitor for the public or B) build a local cluster to run all extensions and monitor them.For (A), I could use chrome.webRequest.onCompleted.addListener(..., <all_urls>) and check for a tabId of -1 but I still don't know which extension the traffic originated from. For (B), I tried chrome.debugger.attach() but it won't let me access a chrome-extension:// URL of different extension.
I could patch chrome and add my extensionId to the whitelist for activityLogPrivate. Instrumentation is a little out of my league but I suppose that's what the HULK academics did (https://www.icir.org/vern/papers/hulk-usesec14.pdf)
If you want to test extensions on your own, then yes add your extensionId to the whitelist and run a custom build off ToT.Alternately if you install the CADT (DevTools) then you'll see a database full of activity log information appear on disk in the preferences folder.