RFE: add permissions extensions could drop (or must request) for extension pages triggering network requests
Reported by
khym.cha...@gmail.com,
Jul 29 2017
|
||||||
Issue descriptionUserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.78 Safari/537.36 Example URL: Steps to reproduce the problem: 1. Write an extension What is the expected behavior? You should be able to restrict the extension from triggering network requests from its pages, either by having permissions which are on by default unless explicitly dropped, or requiring the extension to request those permissions. What went wrong? You can't restrict the extension from triggering network requests from its page. Does it occur on multiple sites: Yes Is it a problem with a plugin? No Did this work before? No Does this work in other browsers? Yes Chrome version: 60.0.3112.78 Channel: stable OS Version: Fedora 25 Flash Version: Shockwave Flash 26.0 r0 Justification/rationale: if an extension could be totally isolated from network access, then the extension installer/updater could inform the user of this fact. That is, it could say something like "Extension XYZ can access your browsing history, but it can't make any network connections, so you're safe from privacy violations". I proposed this in issue 739079 , but was unaware that an extension's pages (like the background pages) can trigger network requests. So something like this RFE would be needed to make my previous RFE possible. I talk about dropping a permission that is granted to extensions by default because there might be lots of extensions out there which depend on network requests triggered from their extension pages, and creating a new permission they'd have to request to keep on operating would break those extensions where the developer isn't on the ball. Of course, for all I know it's not possible to have a permission which an extension drops instead of requests.
,
Jul 31 2017
,
Aug 2 2017
I'll let the extension team judge the desirability. From my side, I would find offline-only extension useful; or in other words, I would trust them more and be more likely to install them. But we must make sure that we don't over-promise. E.g. we must not say that the extension can't communicate with network if it has other permissions that would allow it, in a roundabout way, to do so.
,
Aug 4 2017
This seems to be a feature request. Hence, marking it as untriaged for further investigation from dev team. Thanks...!!
,
Aug 8 2017
,
Aug 18 2017
We spent some time chatting about this. Conceptually, I can understand this request, but I'm not entirely sure it's desirable for the platform, and, more importantly, I don't think it's feasible in any meaningful way. From the desirability perspective, extensions have always been intended to be "web + extra", but any page on the web has the ability to make network requests to any server. Extensions take this a step farther and we imitate it coming from the same origin; it's reasonable that we could remove this ability (or gate it on a permission), but that doesn't help with the case of an extension leaking information to a cooperating server, since that server could set CORS to accept the connection. More importantly, though, even we lock down all network requests from the extension's background page, that's not sufficient for the spirit of this request, which is "ensure that no data is leaked". There are a number of different ways extensions can leak this information - if they can use window.open() or the tabs.create() API, they can open a new tab to a malicious site with PII stored in query parameters. If they have content scripts injecting into any page, they can XHR from that page to a server, or use the content script as a method of communication itself. In order to lock all these down, you'd be left with an extension that has *very* little functionality (no tabs API, no content scripts, no window.open(), no external communication, etc). The class of extensions that can still function in that window is very small. Even that is conceptually doable, if very difficult. But there would still be other attacks that wouldn't be protected against. For instance, an extension could embed a link (either through an anchor tag in the DOM, bookmark, etc) to open a link to communicate with a malicious server, again, sending out the PII. When it comes down to it, in order to really prevent the extension from leaking data, we'd need to massively restrict not only the extension APIs it can use, but the basic web technology it can use (disallowing basic parts of HTML like anchor tags). The end result would take a *massive* amount of work to create and maintenance, but isn't very usable as a platform (and thus wouldn't see much adoption). I can understand why something like this would be nice - it'd be great to be able to say with confidence that an extension won't leak your data, since then it's much easier to trust that extension with information - but it's just not fundamentally possible with having extensions built on the web. Sorry we couldn't give a better answer! |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by dtapu...@chromium.org
, Jul 31 2017