Clever Geek Handbook

Chrome.extension.getURL and AJAX issues in Chrome extensions

I am working on an extension that injects a script on a page.

An extension is basically a content script that injects another script into the DOM. ( Why not just a content script? )

(I have no problem with my code, it works great. The main goal here is to learn about security issues in web development)

The script injected is the original file in my extension and I get it with JQuery.get using the url from chrome.extension.getURL('myscript.js')

.

Are there any security issues I should be aware of?

Page not https

, can this get

return something different from my script?

I am also pasting HTML content using the same method. HTML file from my extension, just like scritp. Is there any possibility that the custom response will be corrupted by the man in the middle?

What are the general methods to avoid such security problems, if any?

In other words, if I create a script ( document.createElement('script')

) and set its source to my file. Can someone interfere when I introduce this creep into the house? ( document.documentElement.appendChild(myScipt)

)

Also, what are the security concerns associated with this approach ? Injection of a script that modifies methods XMLHttpRequest

open

and send

to capture ajax calls, add listeners and dispatch them with the same exact original arguments.

So, let's say I have:

var myScript = document.createElement('script');
myScript.src = chrome.extension.getURL('myscript.js');
var page = chrome.extension.getURL('mypage.html');
  • In such a context, could $.get('mypage.html')

    something different from my page be returned due to the person in the middle? (In other words, could I unknowingly enter a malicious page?)
  • Can document.documentElement.append(myScript)

    another script inject? Could the intended person in the middle get in between .src

    and change the actual script?
  • Since the script is meant to change the prototype XMLHttpRequest

    as described in the linked approach, can I ever send

    use arguments other than the arguments passed by the original call?

Thank!

+3


source to share


1 answer


First of all, Chrome is both client and server when you fetch a file from an extension, so you don't need https, it's useless in this scenario. There is no man in the middle here.

You might think that another extension is intercepting ajax, but for that, the extension must have the appropriate permissions granted by the user, so it won't be an unauthorized interception. At least it won't be any less secure than any https ajax.

And as you say, the other person in the middle attack is to override XMLHttpRequest, which you can do with an extension (with correct user authorization) or any other way to inject the script into the page (especially if the page is not secure).



I wonder if you can embed and run the script before the page loads, or at least before executing any other script with the sole purpose of "protecting" the original XMLHttpRequest object (with something like mySecureAjax = XMLHttpRequest;

)

You can execute before any script on the page, but you cannot guarantee execution before another extension injection.

+1


source






More articles:


All Articles