Issue metadata
Sign in to add a comment
|
Security: Extensions re-write the page DOM, injecting style blocks with relative URLs for files
Reported by
david.ma...@contractpal.com,
Dec 21 2017
|
||||||||||||||||||||
Issue descriptionThe chrome extension functionality allows an extension to inject CSS style tag into every page it visits. This style tag could have relative URLs, referencing font files or other files on servers. At the very least, with the extension you are browsing the Internet and requesting files that don't exist or that have nefarious code-- from every site you visit. How to reproduce: 1) Install the extension below. 2) Navigate anywhere on the Internet, for example https://www.google.com/. 3) Use chrome inspect element. Look at the <head> tag of the page and notice the last two injected style blocks, one for font awesome and one for retail benefits (presumably from the extension). 4) Not specifically the relative URLs of the fonts requested-- they are being requested from the SITE YOU ARE ON!! 5) Disable the extension and note that the style blocks disappear. https://chrome.google.com/webstore/detail/savvi-shopping-assistant/dgbkihhigghebljhhgeffgghmfeplcpe?utm_source=chrome-app-launcher-info-dialog
,
Dec 21 2017
It's expected that an extension with permission to inject styles into pages is able to inject styles into pages. In most cases, an extension author should be using absolute URLs to prevent functional problems, but there are scenarios in which injection of relative URLs makes sense.
,
Mar 30 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by david.ma...@contractpal.com
, Dec 21 2017