New issue
Advanced search Search tips
Starred by 10 users
Status: Duplicate
Merged: issue 362351
Owner:
Closed: Aug 2016
Components:
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 2
Type: Feature



Sign in to add a comment
Extensions should have a granular permission model similar to Android applications
Reported by routeh...@gmail.com, Aug 25 2016 Back to list
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36

Steps to reproduce the problem:
Chrome Extensions have the ability to use API functions exposed by the browser as well as inject javascript in to pages a user may load.

When a user installs an extension, they are presented with a very coarse permission scheme.

Users should be able to make informed choices about more granular security models, similar to Android apps.

Chrome Extensions can update and implement new features that may change the user's browser behaviour in meaningful ways.  User input is not required to authorize this new browser behaviour.

A long-trusted extension could, remarkably, one day overwrite javascript methods like XMLHttpRequest() or WebSocket() and exfiltrate the data being sent in a manner the user otherwise trusted.  This could be by intent or malicious attacks on the extension authors.  

What is the expected behavior?

What went wrong?
- Extensions should have more granular permission scheme, similar to Android apps

- Extensions should request their updated permission model when they are updated automatically.  This would allow the user to make informed choices about how their experience is changing.

Did this work before? N/A 

Chrome version: 52.0.2743.116  Channel: stable
OS Version: OS X 10.11.6
Flash Version:
 
Labels: -Type-Bug-Security Type-Feature
Owner: meacer@chromium.org
More of a feature request than actual security vulnerability.
Comment 2 by meacer@chromium.org, Aug 25 2016
Components: Platform>Extensions Platform
Labels: -Restrict-View-SecurityTeam
Owner: rdevlin....@chromium.org
There are similar requests (e.g.  bug 342570 ). Not sure if there is an exact dupe, so I'll leave it to Devlin to triage.
Mergedinto: 362351
Status: Duplicate
Extensions already have a granular permission model.  An extension can choose to only request the APIs and domains it requires.  When it updates, if it requires new permissions, it is disabled and the user is alerted.  In theory, users already have the ability to make informed choices about the extensions they install - the bigger problem is that few users are deterred by a big scary warning saying "This extension can access and modify all your data on all websites."

Given that there are a number of legitimate use cases for requiring access to all urls (adblock, ghostery, et al), I don't think this is something we can or should remove.

However, there is an effort to give the user more control over when an extension can act, and to try to move towards a more runtime permissions model, which I think is what this bug (and  issue 342570 ) are really hinting at.  Duping into the tracking bug for that effort.
Sign in to add a comment