Cross-extension messaging
105 views
Skip to first unread message
Alan Karp
Mar 7, 2022, 3:11:50 PM3/7/22
to <friam@googlegroups.com>
This is really a JavaScript question, but it has important security implications.
It appears that any Chrome extension can send messages to any other Chrome extension. All the sender needs to know is the public ID of the target extension. Is that right? Can this fact be turned into an exploit? If so, has anyone heard of one?
Even worse, it appears that a content page, a script an extension injects into a web page, can send a message to any tab by simply guessing the tab ID, which is a small integer.
The only saving grace is that the runtime provides the sender's origin, so you can know who sent each message. I wonder how many developers know that they have to check. I haven't run across any such guidance, which leads me to believe that my concern is unfounded.
--------------
Alan Karp
--------------
Alan Karp
Dan Finlay
Mar 7, 2022, 5:14:39 PM3/7/22
to friam
Hi Alan, Dan Finlay here, one of the leads at MetaMask, a browser extension that provides key management, and exposes signing operations to compatible websites (and extensions, as you've noticed).
You're totally right I think on both counts:
- Any Chrome extension can interact with any other. At MetaMask we've even published a module for making it easier to interact with our API for other extensions, and we require user consent before allowing any operations by this means.
- It is also true that WebExtension contentscripts (any extension that has been given user permission to "read and modify the contents of" that given website) is able to post messages to that website. Some extensions like ours request and are given a wildcard permission, and are able to post messages to any site. Not all sites play nice with this, we have definitely broken some sites in the past that seemed to expect that their messages posted came only from domains they controlled.
This is probably worth making a more well-known developer best practice. One saving grace from a security perspective is that the only extensions that can do this were basically granted the highest authority by their user, so in theory those might be more trustworthy extensions, but we'd have to see in practice.
This is probably worth making a more well-known developer best practice. One saving grace from a security perspective is that the only extensions that can do this were basically granted the highest authority by their user, so in theory those might be more trustworthy extensions, but we'd have to see in practice.
- Dan
Alan Karp
Mar 7, 2022, 5:49:03 PM3/7/22
to <friam@googlegroups.com>
Thanks for the confirmation. At least the behavior is opt-in. You add a listener to onMessageExternal instead of onMessage. I had missed that nicety until my umpteenth reading of the messaging documentation.
--------------
Alan Karp
--------------
Alan Karp
--
You received this message because you are subscribed to the Google Groups "friam" group.
To unsubscribe from this group and stop receiving emails from it, send an email to friam+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/friam/af796274-a3bd-4769-8e26-ffb7c91f9f37n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages