Hi guys,
I have a question about the high level design of chromium extension's architecture. The content script of an extension can be injected into a given renderer process, such that the extension can operate the DOM objects.
But it seems that the content script has full permission on behalf of the web page, such as getting this website's cookie or even sending requests to the web sever. So can a malicious extension craft its content script to communicate with the web server or even manipulate the web server's behavior?
Any ideas are appreciated. Thank you.