The permission of extension's content scripts

[lwy...@pku.edu.cn]

Hi guys,

I have a question about the high level design of chromium extension's architecture. The content script of an extension can be injected into a given renderer process, such that the extension can operate the DOM objects. 

But it seems that the content script has full permission on behalf of the web page, such as getting this website's cookie or even sending requests to the web sever. So can a malicious extension craft its content script to communicate with the web server or even manipulate the web server's behavior?

Any ideas are appreciated. Thank you.

[PhistucK]

Yep, extensions are powerful.

That is why you see a permission warning when you install them - "Read and change all your data on the websites you visit".

☆PhistucK

--
--
Chromium Discussion mailing list: chromium...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-discuss

---
You received this message because you are subscribed to the Google Groups "Chromium-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-discu...@chromium.org.

[Abraham Luna]

Yes Google has had to remove thousands of malicious extensions that were stealing users info, it's all over the internet news.