What is AccessLevel in chrome.storage

1,688 views
Skip to first unread message

Jackie Han

unread,
Oct 25, 2022, 10:33:02 AM10/25/22
to Chromium Extensions
I stumbled upon a doc update. Since Chrome 102, there are AccessLevel and setAccessLevel in chrome.storage. What does it mean? in other words, what are "TRUSTED_CONTEXTS" and "UNTRUSTED_CONTEXTS".

Jackie Han

wOxxOm

unread,
Oct 26, 2022, 10:06:50 AM10/26/22
to Chromium Extensions, Jackie Han
trusted = origin of the extension i.e. all contexts that have chrome-extension://id origin
untrusted = content scripts

Jackie Han

unread,
Oct 26, 2022, 4:26:19 PM10/26/22
to wOxxOm, Chromium Extensions
I did some tests. Let me add some information to everyone.

trusted context: extension origin (extension page or service worker)
untrusted context: content script (main world)

1. AccessLevel is only related to chrome.storage.session in MV3, not related to local/sync/managed.
2. setAccessLevel() method can only be run on storage.session in trusted context.

By default, AccessLevel is "TRUSTED_CONTEXTS":
  • In extension pages: all session/local/sync/managed are available.
  • In content script: local/sync/managed are available, but session is not available.
In trusted context, change AccessLevel to "TRUSTED_AND_UNTRUSTED_CONTEXTS": 
chrome.storage.session.setAccessLevel({accessLevel: "TRUSTED_AND_UNTRUSTED_CONTEXTS"});
PS: local/sync/managed don't have setAccessLevel() method.

Now, AccessLevel is "TRUSTED_AND_UNTRUSTED_CONTEXTS":
  • In extension pages: all session/local/sync/managed are available.
  • In content script: session is also available now.

wOxxOm

unread,
Oct 26, 2022, 4:36:57 PM10/26/22
to Chromium Extensions, Jackie Han, Chromium Extensions, wOxxOm
Yep, that's correct. BTW the documentation is incorrectly showing this method for all areas, whereas the source defines it only inside storage.session.

Note that currently storage.session leaks to the content script via onChanged listener regardless of access level, so if the site breaks the isolation barrier it can gain access to this storage in particular. It's tricky to guard against this because even if you delete window.chrome and store it as a local variable, the exploit can create an iframe where window.chrome will be defined anew.

wOxxOm

unread,
Oct 26, 2022, 4:37:28 PM10/26/22
to Chromium Extensions, wOxxOm, Jackie Han, Chromium Extensions
The leak: https://crbug.com/1342046

Jackie Han

unread,
Oct 26, 2022, 8:31:26 PM10/26/22
to wOxxOm, Chromium Extensions
Update a typo in my previous post: content script (main → isolated world)
Reply all
Reply to author
Forward
0 new messages