extensions : unsecure, url in manifest.json “permissions” treated as /*

32 views
Skip to first unread message

acx01bc

unread,
Mar 16, 2017, 2:12:56 PM3/16/17
to Chromium-Extensions-Announce
In this stackoverflow question user    @wOxxOm     pointed that "http://any_url.json" in "permissions" is treated as "http://any_url.json/*"                                                                                                                                                                                           (see  https://developer.chrome.com/extensions/match_patterns)

I don't understand why this is the case,     since it makes unsecure (*) any extension with such a manifest.json, while not treating it as /* would make it secure.


Can a developer explain why this is the case,       or explain what I missed about the same origin policy ?


(*) There is a sample code in the link.                                                                                                                                  Thank you.
Message has been deleted
Message has been deleted
Message has been deleted

acx01bc

unread,
Mar 16, 2017, 2:29:00 PM3/16/17
to Chromium-Extensions-Announce
I just realized that even if you are only allowed to make a `GET` request to only one url 

        `var xhr = (new XMLHttpRequest()).open("GET", "http://myserver.com/file.json");` 

then you can send anyway a small amount of data to myserver.com : 

           Make a request an odd day if you want to communicate a 1 and an even day if you want to communicate a 0
           So in any case, it is insecure to install an extension if you didn't look a its source code and if it has at least one url in `"permissions"'

I think this answers to my original question.
Reply all
Reply to author
Forward
0 new messages