Issue metadata
Sign in to add a comment
|
Security: about chrome extension - content scripts
Reported by
derick.t...@googlemail.com,
Jul 7 2016
|
||||||||||||||||||||||
Issue description
This template is ONLY for reporting security bugs. If you are reporting a
Download Protection Bypass bug, please use the "Security - Download
Protection" template. For all other reports, please use a different
template.
Please see the following link for instructions on filing security bugs:
http://www.chromium.org/Home/chromium-security/reporting-security-bugs
VULNERABILITY DETAILS
About chrome extension
1.Overwrite Function By document.createElement("script"),In addition to overwrite Function, the Function can also be called
2.Monitor user input,In the developer tools, can not be captured to send a message, the page is also no change in the structure of dom, the average user will never know his input is being monitored
You can read my demo code and run it, you will know.I just run two the latest version of chrome,stable and dev.
VERSION
Chrome Version: [51.0.2704.106 ] + [stable, dev]
Operating System: [Windows, 7, service pack 1]
,
Jul 12 2016
rdevlin.cronin@, could you please take a look or suggest another owner?
,
Jul 12 2016
This is entirely by design. DOM modifications are how content scripts in isolated worlds are supposed to alter the content of the page.
,
Jul 13 2016
you could read this api https://developer.chrome.com/extensions/content_scripts#pi it tell us: Content scripts execute in a special environment called an isolated world. They have access to the DOM of the page they are injected into, but not to any JavaScript variables or functions created by the page. by this way,I can create, modify any JavaScript variables or functions in the page. then web data will be changed,then how to ensure that the user to read data has not been tampered and more. var script = [ 'var script=document.createElement("script"); ', 'script.type="text/javascript"; ', 'script.innerHTML="hi=123;var info=234 console.log(hi,info);$.ajax({url:\'/jquery/test1.txt\',async:false});window.alert = function(){};window.confirm = function(){};window.onunload = function(){};window.onbeforeunload = function(){}";', 'var html=document.getElementsByTagName("html"); ', 'html[0].appendChild(script); ', ].join(''); And Monitor user input at website is entirely by design ? attach file is demo how to monitor user input.
,
Jul 13 2016
Adding a script tag to the document executes the script in the document's main world, rather than the extension's isolated world. Yes, this is by design. Isolated worlds are for stability and extension security from websites, not for website security from extensions.
,
Jul 18 2016
If so,Whether the document should be revised . They have access to the DOM of the page they are injected into, And to any JavaScript variables or functions created by the page ? https://developer.chrome.com/extensions/content_scripts#pi Execution environment Content scripts execute in a special environment called an isolated world. They have access to the DOM of the page they are injected into, but not to any JavaScript variables or functions created by the page. It looks to each content script as if there is no other JavaScript executing on the page it is running on. The same is true in reverse: JavaScript running on the page cannot call any functions or access any variables defined by content scripts.
,
Jul 18 2016
That's all still true, but when you add a script tag to the document, it's no longer a content script - it's a DOMScript, which executes in the main world (by design). But yes, it may be worth adding a note about this to the documentation.
,
Oct 19 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by calamity@chromium.org
, Jul 7 2016Components: Platform>Extensions