What does "Allow access to file URLs"
2,166 views
Skip to first unread message
extension_tester
Aug 19, 2023, 2:36:47 PM8/19/23
to Chromium Extensions
I couldn't find an official documentation or answers in this forum.
I installed an extension from WebStore and granted "Allow access to file URLs", because I wanted it to work on a local html file.
The extension only requested this permission: "Read and modify all your data on all websites".
But now I'm wondering about the potential risks of enabling this setting for extensions.
From my understanding a malicious extension with this toggled enabled would be able to
- Search through your file system by guessing the common file paths for password folders, etc, effectively being able to upload your whole file system to its servers, given enough time.
I couldn't find a definitive answer to these questions:
- Could it modify local files? Provided you didn't grant any other permissions except "Read and modify all your data on all websites"?
- Could it delete local files?
This would be a huge security risk. It wouldn't even be necessary to hardcore file paths inside the extension, they could be fetched from the attacker's server, effectively bypassing WebStore review process, especially if the extension has thousands of lines of minified code that can't be properly vetted if someone hides the malicious local file reading code somewhere inside the extension + using the backend to feed the paths.
I think Chromium should implement a warning when toggling this option, because many people assume that this toggle would only give read permission for the files the user opens inside the browser.
I installed an extension from WebStore and granted "Allow access to file URLs", because I wanted it to work on a local html file.
The extension only requested this permission: "Read and modify all your data on all websites".
But now I'm wondering about the potential risks of enabling this setting for extensions.
From my understanding a malicious extension with this toggled enabled would be able to
- Search through your file system by guessing the common file paths for password folders, etc, effectively being able to upload your whole file system to its servers, given enough time.
I couldn't find a definitive answer to these questions:
- Could it modify local files? Provided you didn't grant any other permissions except "Read and modify all your data on all websites"?
- Could it delete local files?
This would be a huge security risk. It wouldn't even be necessary to hardcore file paths inside the extension, they could be fetched from the attacker's server, effectively bypassing WebStore review process, especially if the extension has thousands of lines of minified code that can't be properly vetted if someone hides the malicious local file reading code somewhere inside the extension + using the backend to feed the paths.
I think Chromium should implement a warning when toggling this option, because many people assume that this toggle would only give read permission for the files the user opens inside the browser.
wOxxOm
Aug 20, 2023, 2:26:58 AM8/20/23
to Chromium Extensions, extension_tester
> Search through your file system by guessing the common file paths for password folders, etc, effectively being able to upload your whole file system to its servers, given enough time.
Sure can.
> Could it modify local files? Could it delete local files?
The "Read and modify all your data on all websites" permission allows extensions to change data inside the tab/frame that shows the site and make a network request to the site, which may be processed by the server and change the remote data as a result. Since file:// protocol isn't served through a server the extensions can't change data on such URLs.
> I think Chromium should implement a warning when toggling this option, because many people assume that this toggle would only give read permission for the files the user opens inside the browser.
+1 and the warning should be always shown under the switch and this switch should be even in red color.
Consider suggesting it in https://crbug.com.
Reply all
Reply to author
Forward
0 new messages