Is there no browser setting to defend against this attack? If not, there should be, versus relying on extension authors to configure or enable such a setting.

▲

zahlman 4 hours ago | parent [-]

I imagine that it would require browsers to treat web requests from JS differently from those initiated by the user, specifically pretending the JS-originating requests are by logged-out or "incognito" users (by, I suppose, simply not forwarding any local credentials along, but maybe there's more to it than that).

Which would probably wreak havoc with a lot of web apps, at least requiring some kind of same-origin policy. And maybe it messes with OAuth or something. But it does seem at least feasible.

▲

circuit10 3 hours ago | parent [-]

As people have said it’s not making requests to web store, that’s just part of this repository looking for what extensions it’s blocking via nodejs

Browsers already have strong protections against that sort of thing, look up the same-origin policy and CORS

	▲	zahlman 3 hours ago \| parent [-]
		I see, I was too credulous.