for security considerations wondering if chrome extensions had access app. design chrome app handles sensitive data. far understand it, app runs in sandboxed environment should isolated. if user had mistake installed malicious chrome extension, extension able intercept/modify of sensitive data in app?
please note not consider other ways of interceptions outside of chrome environment, e.g. virus allows root access or alike. understand degree chrome app more susceptible interception standard stand-alone application.
sebastian
on 1 hand, extensions cannot touch app's windows (as in, inspection / script injection) in default environment, "debugger" permission. "local" data should safe.
on other, tested , conclude webrequest api will catch xhrs send.
this includes headers both request , response, , request body. response body not available inspection; however, malicious extension can perform redirect, modify request or cancel it.
this deemed security issue; of chrome 45, extensions can no longer intercept traffic other extensions , apps. hosted apps accidentally included too, it's bug fixed - traffic hosted apps open webrequest normal.
i don't know other possibility extension snoop on app (without anomalous chrome://flag configuration).
Comments
Post a Comment