| ▲ | wnevets a day ago |
| I thought manifest v3 was supposed to make chrome extensions secure? |
|
| ▲ | adrr 21 hours ago | parent | next [-] |
| Its the reason why they found it because the code was in extension. Before manifest v3, extensions could just load external scripts and there's no way you could tell what they were actually doing. |
| |
| ▲ | g947o 21 hours ago | parent | next [-] | | > extensions could just load external scripts and there's no way you could tell what they were actually doing. I do think security researchers would be able to figure out what scripts are downloaded and run. Regardless, none of this seems to matter to end users whether the script is in the extension or external. | | |
| ▲ | johncolanduoni 17 hours ago | parent | next [-] | | Even if the extension isn’t malicious, it creates a new attack vector that can affect users. If whatever URL the script is remotely loaded from is compromised, now all users of that extension are vulnerable. | |
| ▲ | reddozen 20 hours ago | parent | prev [-] | | nothing stopping server side logic: if request.ip != myvictim, serve no malicious payload. |
| |
| ▲ | creatonez 18 hours ago | parent | prev [-] | | Wait, does that mean Manifest v3 is so neutered that it can't load a `<script>` tag into the page if an extension needed to? If so, I feel like something that limited is hardly even a browser extension interface in the traditional sense. | | |
| ▲ | johncolanduoni 17 hours ago | parent | next [-] | | Most browser extensions don’t need to insert script tags that point to arbitrary URLs on the internet. You can inject scripts that are bundled with the extension (you don’t even need to use an actual script tag). This is one part of manifest v3 that I think was actually a good change - ad blockers don’t do this so I don’t think Google had an ulterior motive for this particular limitation. | |
| ▲ | moi2388 17 hours ago | parent | prev [-] | | That is correct. You can not inject external scripts. You can fetch from a remote and inject through the content script though, but the content and service worker code is known at review time. So you can still do everything you could before, but it’s not as hidden anymore |
|
|
|
| ▲ | tlogan a day ago | parent | prev [-] |
| Let me ask you this way: How do you think they make money? |
| |
| ▲ | PeterHolzwarth a day ago | parent [-] | | I believe you may be missing the sarcasm of the post you are responding to. | | |
| ▲ | johncolanduoni a day ago | parent | next [-] | | I’m here to inform you that you perhaps missed the second-order sarcasm of the post you responded to. Hopefully the chain ends here. | | |
| ▲ | CafeRacer 21 hours ago | parent [-] | | I am afraid you may have missed a third order of sarcasm. It sometimes called Incepticasm. |
| |
| ▲ | droopyEyelids a day ago | parent | prev [-] | | He may have understood it, but the feelings of anger about it are so overwhelming he had to post anyway, even if it didn't perfectly flow with the conversation. |
|
|
