TechEcho

nitrohorsealmost 6 years ago

Here's the proof-of-concept extension by gorhill for anyone interested: <a href="https://gist.github.com/gorhill/b0316e35d4e7e4a44df39e8b7fa5ac20" rel="nofollow">https://gist.github.com/gorhill/b0316e35d4e7e4a44df39e8b7fa5...</a>. Looks like his tweets regarding this have also been deleted.

评论 #20494972 未加载

评论 #20494562 未加载

评论 #20494857 未加载

评论 #20494454 未加载

评论 #20494490 未加载

arkadiytalmost 6 years ago

Even without this issue all chrome extensions can execute code in their own context by explicitly setting a blob script-src rather than relying on the default, or by skipping the middle step and adding a domain they control to the script-src and directly linking a javascript file (why bother with blobs?), or even by pushing a new version which Chrome will automatically install for users. The title makes this issue sound severe but it's just a missing best practice.

评论 #20493177 未加载

gruezalmost 6 years ago

Can someone screenshot the page? I'm getting "permission denied" followed by a redirect to google sign in.

评论 #20493428 未加载

评论 #20494545 未加载

评论 #20493689 未加载

hughesalmost 6 years ago

What legitimate use case is there for a blob script-src in a browser extension?

评论 #20494407 未加载

tonethemanalmost 6 years ago

I think this is by design maybe<p><a href="https://developer.chrome.com/extensions/contentSecurityPolicy" rel="nofollow">https://developer.chrome.com/extensions/contentSecurityPolic...</a><p>Look at the section named "Evaluated Javascript"

FloatArtifactalmost 6 years ago

Is any browser that utilizes WebKit extensions at risk or just chrome?

All Chrome extensions can execute remote code in their own context

6 comments

All Chrome extensions can execute remote code in their own context

6 comments