Cannot embed content script into an extension.
99 views
Skip to first unread message
Naveen.B
Aug 8, 2011, 3:16:29 AM8/8/11
to Chromium-extensions
Hi,
Can somebody please clarify why a content script cannot be embedded
into another extension?
I see that a content script can only be embedded into a web page .
What are the security reasons behind taking this approach?
When I add chrome-extension://<path> to permissions in manifest.json,
I see error like scheme chrome-extension cannot be read.
Regards,
Naveen.B
Can somebody please clarify why a content script cannot be embedded
into another extension?
I see that a content script can only be embedded into a web page .
What are the security reasons behind taking this approach?
When I add chrome-extension://<path> to permissions in manifest.json,
I see error like scheme chrome-extension cannot be read.
Regards,
Naveen.B
Ben
Aug 9, 2011, 12:46:01 AM8/9/11
to Naveen.B, Chromium-extensions
I imagine they don't want malicious extensions having access to data in
other extensions without permission. One example would be if an
extension was able to gain access to LastPass's internal pages, it would
potentially have access to all of your password information.
other extensions without permission. One example would be if an
extension was able to gain access to LastPass's internal pages, it would
potentially have access to all of your password information.
If you want access to certain information within another extension, it
would be better to either ask the author to either use an
chrome.extension.onExternalRequest listener and provide a public API to
access the data, or use an onExternalRequest listener and verify that
it's your extension accessing the data by checking the requesting
extension's ID. Once that is implemented, you can use
chrome.extension.sendExternalRequest to get information from the
extension.
Naveen
Aug 9, 2011, 3:27:07 AM8/9/11
to Ben, Chromium-extensions
Thanks Ben.
The same could hold good for a web page into which we would be injecting a content script. An extension could as well corrupt a web page .
But since there are limitations to content scripts as they run in isolated world would handle these security considerations .
By injecting inside an extension don't you think the security measures still hold good.
My requirement is to just modify the DOM of an extension.
I have made changes inside chrome native code to allow which would allow me to add chrome-extension permission set in manifest.json.
This would enable my content script to get added to an extension also. Do you think its right to do that? Please provide your views.
Regards,
Naveen.B
The same could hold good for a web page into which we would be injecting a content script. An extension could as well corrupt a web page .
But since there are limitations to content scripts as they run in isolated world would handle these security considerations .
By injecting inside an extension don't you think the security measures still hold good.
My requirement is to just modify the DOM of an extension.
I have made changes inside chrome native code to allow which would allow me to add chrome-extension permission set in manifest.json.
This would enable my content script to get added to an extension also. Do you think its right to do that? Please provide your views.
Regards,
Naveen.B
Arne Roomann-Kurrik
Aug 9, 2011, 12:30:23 PM8/9/11
to Naveen, Ben, Chromium-extensions
I think this would be a bad idea. If you were able to inject code into an extension with more privileges than your own extension, that would be a privilege escalation exploit.
~Arne
--
You received this message because you are subscribed to the Google Groups "Chromium-extensions" group.
To post to this group, send email to chromium-...@chromium.org.
To unsubscribe from this group, send email to chromium-extens...@chromium.org.
For more options, visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/?hl=en.
Naveen
Aug 9, 2011, 12:48:51 PM8/9/11
to kur...@chromium.org, Ben, Chromium-extensions
Hi Arne,
Can this use case be accounted for by checking at the native code level?
Regards,
Naveen.B
Naveen
Aug 10, 2011, 11:09:27 PM8/10/11
to kur...@chromium.org, Ben, Chromium-extensions
Any thoughts on this. Can we make extensions embed content scripts to extensions by restricting some aspects in the chrome native code?
What are the implications of doing this?
What are the implications of doing this?
Arne Roomann-Kurrik
Aug 11, 2011, 1:55:29 PM8/11/11
to Naveen, Ben, Chromium-extensions
Honestly, I doubt this is the kind of thing that the team would want to have special case code in place for. But you can follow these steps to request the feature officially: http://code.google.com/chrome/extensions/faq.html#faq-fea-02
~Arne
Naveen
Aug 12, 2011, 1:39:26 AM8/12/11
to kur...@chromium.org, Ben, Chromium-extensions
Reply all
Reply to author
Forward
0 new messages