Since such APIs give access to rather sensitive data, Chrome uses two main mechanisms to try and ensure the information remains private. At the same time, extensions also need to deeply interact with the websites code, so that they can change their behavior or looks. Let's look at Google Chrome, the most popular browser and the one with the most sophisticated security model for extensions: Unlike websites, extensions need access to more sensitive APIs to implement their functionality, such as access to the list of open tabs, the browsing history, or the cookies.
%20-%20refresh/img_04.png "can google chrome extensions be dangerous")
Unfortunately, the security story for extensions is less rosy. However, users often want to extend web browser functionality by installing extensions, e.g., to block advertisements or to extend the functionality of certain websites. Mechanisms like the SOP have worked relatively well in protecting user data in web browsers 2. For instance, the same-origin policy (or SOP for short) roughly ensures that information from one website (say, ) cannot be accessed by a malicious site like, because they have different origins 1. This poses security challenges to protect this data from malicious entities, and luckily the web platform and, as part of this, web browsers have evolved to achieve this. Furthermore, these applications increasingly handle sensitive data such as banking information, passwords or medical data. Web applications are ubiquitous and many tasks that traditionally have been achieved using dedicated desktop applications are carried out in web browsers today. I will also outline research towards a better extension security model for browsers that protects your sensitive information. The Most Dangerous Code in the Web Browserĭid you know that the web browser extension you installed a long time ago (say, AdBlock), can probably see all your passwords, look at any website you visit using your credentials and could trivially send all that information to an arbitrary web server? That's pretty scary, and in this blog post I will explain how security for extensions currently works.
0 kommentar(er)
