| ▲ | jsheard 4 hours ago |
| Looks to me like LinkedIn is fetching chrome-extension://{extension id}/{known filename} and seeing if it succeeds, not pinging the web store. Should be patched nonetheless though, that's a pretty obscene fingerprinting vector. |
|
| ▲ | what 3 hours ago | parent [-] |
| How do you patch it? The extensions themselves (presumably) need to access the same web accessible resources from their content scripts. How do you differentiate between some extension’s content script requesting the resource and LinkedIn requesting it? |
| |
| ▲ | jsheard 3 hours ago | parent [-] | | Firefox already mitigates this by randomizing the extension path: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/Web... The file is then available using a URL like: moz-extension://<extension-UUID>/images/my-image.png"
<extension-UUID> is not your extension's ID. This ID is randomly generated for every browser instance.
This prevents websites from fingerprinting a browser by examining the extensions it has installed.
| | |
| ▲ | zahlman 3 hours ago | parent [-] | | Doesn't the browser know which script it's running? Why can't it just deny access to the specified path, except to the extension itself? | | |
| ▲ | cxr 3 hours ago | parent [-] | | It does by default, except for the files from the extension that the extension author has explicitly designated as content-accessible. It's explained ("Using web_accessible_resources") at the other end of the link. |
|
|
|
