top | item 41044440

(no title)

robryk | 1 year ago

You can always exfiltrate by inserting stuff into the page's DOM that will do the exfil from the page's context.

discuss

Should have a seperate permission to modify the DOM. This extension only needs to read the DOM.

Yes, a network access and DOM write permission should be one and the same. I think the reason it isn't done is because there are so many ways to leak data over a network. If the extension can trigger a DNS lookup somehow, it can exfiltrate data.

Android used to have a network permission but Google removed it.

pastage|1 year ago

I block all external resources on my pages, but sure it works well in most places! It think the default policy should be block on most pages.

gtsteve|1 year ago

I would hope that high value target sites such as banks would implement CSPs to prevent that or make it more difficult though.

pigeonhole123|1 year ago

You can save the data and exfiltrate through a site without CSP