extensions : unsecure, url in manifest.json “permissions” treated as /*

[acx01bc]

In this stackoverflow question user    @wOxxOm     pointed that "http://any_url.json" in "permissions" is treated as "http://any_url.json/*"                                                                                                                                                                                           (see  https://developer.chrome.com/extensions/match_patterns)


I don't understand why this is the case,     since it makes unsecure (*) any extension with such a manifest.json, while not treating it as /* would make it secure.

Can a developer explain why this is the case,       or explain what I missed about the same origin policy ?

(*) There is a sample code in the link.                                                                                                                                  Thank you.

[PhistucK]

By design, those are host permissions, not specific-URL-permissions.

This is unrelated to the same origin policy, as you cannot access those hosts at all (without CORS, of course) in normal web pages and extensions (without host permissions).

Extensions are powerful and they are supposed to know requests they are initiating.

It might be a security risk of the specific extension (and not of the extension system) if it does not sanitize its request initiation or user input.

Anyway, this is not the place for such discussions, as this group is about the Developer Tools feature.

You want chromium-extensions instead.

☆PhistucK

--
You received this message because you are subscribed to the Google Groups "Google Chrome Developer Tools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-chrome-developer-tools+unsub...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-chrome-developer-tools/3eb89833-3692-4eee-b6e8-1aee42bac798%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[acx01bc]

Yes sorry I went lost in the forums, I sent it to https://groups.google.com/a/chromium.org/forum/#!topic/chromium-extensions/nrqfhZwNlyE

I meant insecure for the user who installs an extension !! And insecure for chrome to sign automatically those extensions (after looking only at the manifest.json)

With executeScript or content script, extensions can get the passwords typed by the user who installed it, but without any "permissions" there is no way to send those passwords on the internet. 

This is why treating the permissions as /* is insecure : letting the extension developer to put some data in the url and send them to the server added in "permissions". Not treating it as '/*' would allow only to read the JSON file, but I just realized you can communicate some bits one by one anyway : make a GET request depending on if the day/hour is odd or even

[PhistucK]

On Thu, Mar 16, 2017 at 8:44 PM, acx01bc <acx...@gmail.com> wrote:

but without any "permissions" there is no way to send those passwords on the internet. 

​Incorrect, you can initiate requests even without ​permissions (POST, GET), you just cannot see the response. If not, you can always just create a tab with a URL and initiate a GET request. Or you can submit an HTML form (POST, GET) to a hidden iFrame and so on. There are many ways to send information without permissions, but much less ways to get the response (but if you just want to steal passwords, you do not really care about the response anyway and in case you do, just use JSONP or whatever).

☆PhistucK