| ▲ | jsheard 2 hours ago |
| Firefox already mitigates this by randomizing the extension path: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/Web... The file is then available using a URL like: moz-extension://<extension-UUID>/images/my-image.png"
<extension-UUID> is not your extension's ID. This ID is randomly generated for every browser instance.
This prevents websites from fingerprinting a browser by examining the extensions it has installed.
|
|
| ▲ | zahlman 2 hours ago | parent [-] |
| Doesn't the browser know which script it's running? Why can't it just deny access to the specified path, except to the extension itself? |
| |
| ▲ | cxr an hour ago | parent [-] | | It does by default, except for the files from the extension that the extension author has explicitly designated as content-accessible. It's explained ("Using web_accessible_resources") at the other end of the link. |
|
