If correct, once you access a `.google.com` website, the browser makes available through javascript an API allowing the querying of a lot of information about all the open tabs (if open, for example, your banking website) and can send the collected information to the "mother ship".
If true, as usually, a lot of people have a Google tab open, you can easily deduct what it means.
This is definitely something to be investigated, for the moment, we only have a tweet.
> an API allowing the querying of a lot of information about all the open tabs (if open, for example, your banking website)
No. It uses the chrome.system.cpu API, that any extension can access, which gives CPU and RAM utilization info about your tabs. It doesn't give anyone "a lot of information about all the open tabs", and does nothing to expose your banking website...
The allowlisting going on here is that normally when you install an extension in Chrome it asks you to confirm the access to those APIs on the sites where the extension wants to run, but this one comes pre-confirmed from the factory. A quick GitHub search finds ~1000 manifest files that list system.cpu, possibly because that API is also in the boilerplate example chrome extension manifest.
That's still just as unfair, though. Google always has access to that information because their extension is preinstalled and you can't disable it, but other websites have no access to that information unless you go out of your way to install a third-party extension to do so.
If correct, once you access a `.google.com` website, the browser makes available through javascript an API allowing the querying of a lot of information about all the open tabs (if open, for example, your banking website) and can send the collected information to the "mother ship".
If true, as usually, a lot of people have a Google tab open, you can easily deduct what it means.
This is definitely something to be investigated, for the moment, we only have a tweet.
> an API allowing the querying of a lot of information about all the open tabs (if open, for example, your banking website)
No. It uses the chrome.system.cpu API, that any extension can access, which gives CPU and RAM utilization info about your tabs. It doesn't give anyone "a lot of information about all the open tabs", and does nothing to expose your banking website...
https://developer.chrome.com/docs/extensions/reference/api/s...
https://source.chromium.org/chromium/chromium/src/+/main:chr...
That API is baked into Google Chrome. It's hardcoded to only let google.com use it.
I don't think that is an accurate description. The APIs are available in Chrome to anyone: https://developer.chrome.com/docs/extensions/reference/api/s...
The allowlisting going on here is that normally when you install an extension in Chrome it asks you to confirm the access to those APIs on the sites where the extension wants to run, but this one comes pre-confirmed from the factory. A quick GitHub search finds ~1000 manifest files that list system.cpu, possibly because that API is also in the boilerplate example chrome extension manifest.
That's still just as unfair, though. Google always has access to that information because their extension is preinstalled and you can't disable it, but other websites have no access to that information unless you go out of your way to install a third-party extension to do so.
4 replies →
That is the source code of Chromium, not Chrome.
Websites hosted on the google.com domain can access more data about the device than websites hosted on any other domain.
Google allows web pages from *.google.com to read a user's cpu usage, gpu usage, etc.
Other web pages don't have such access.