Issue 726951 link

Starred by 2 users

Issue metadata

Status:	Duplicate
Merged:	issue 846346
Owner:	----
Closed:	Dec 21
Cc:	rdevlin....@chromium.org creis@chromium.org jsc...@chromium.org alex...@chromium.org █ nasko@chromium.org wfh@chromium.org
Components:	Internals>Sandbox>SiteIsolation
EstimatedDays:	----
NextAction:	----
OS:	All
Pri:	2
Type:	Feature

Blocked on:
issue 846346

Blocking:
issue 268640

fetch() from content scripts will be problematic under site isolation

Project Member Reported by nick@chromium.org, May 27 2017

Issue description

Attached is a simple content script that injects into all pages. It adds a <button> and <input> to the top of every webpage; when the button is clicked, it will do an authenticated fetch of the URL in the <input>.

Effectively, under the rules of the current extension system, a single installed content script with:

  "matches": ["*://*/*"],

will require granting every child process the ability to see the responses for arbitrary http/https resources. That effectively defeats site isolation.

Implementing general site isolation will require us to solve this challenge, and scale back privileges from existing content scripts work.

content_script_scraper_problem.zip
1001 bytes Download

Comment 1 by nick@chromium.org, May 30 2017

Owner: nick@chromium.org
Status: Assigned (was: Untriaged)

I've confirmed that (as expected) some extensions with content scripts that run in all sites are very popular.

I'll augment the existing SiteIsolation.XSD metrics to be aware of content script origin, and provide the ability to break down Blocked requests by:
 - whether it originated from a content script, and/or
 - for XHRs, whether credentials were included