| ▲ | z3ratul163071 8 hours ago |
| why would the browser ever expose extensions api to a web page. does firefox does this as well? |
|
| ▲ | ceejayoz 8 hours ago | parent | next [-] |
| The "The Attack: How it works" section explains how it works. It's not an API. I am a little surprised something like CORS doesn't apply to it, though. |
| |
| ▲ | acorn221 8 hours ago | parent [-] | | So these extensions allow linkedin to do this though, it's literally them saying "yes, this site can ping this resource" - called "web_accessible_resources". This is fair from Linkedin IMO as I've seen loads of different extensions actually scraping the linkedin session tokens or content on linkedin. | | |
| ▲ | entropyneur 5 hours ago | parent [-] | | It's not the extension developer who should decide this, but the browser user. |
|
|
|
| ▲ | Panda4 8 hours ago | parent | prev | next [-] |
| > Every time you open LinkedIn in a Chrome-based browser, LinkedIn’s JavaScript executes a silent scan of your installed browser extensions. It's not clear though, either they only tested against chrome-based browsers or Firefox isn't enabling them to do so. edit: I answered before I go fully through the article but it does say it's only Chrome based. > The extension scan runs only in Chrome-based browsers. The isUserAgentChrome() function checks for “Chrome” in the user agent string. The isBrowser() function excludes server-side rendering environments. If either check fails, the scan does not execute. > This means every user visiting LinkedIn with Chrome, Edge, Brave, Opera, Arc, or any other Chromium-based browser is subject to the scan. |
| |
| ▲ | OoooooooO 8 hours ago | parent | next [-] | | Firefox uses UUID for the local extension url per extension so you can't search for hardcoded local urls. | |
| ▲ | dylan604 8 hours ago | parent | prev [-] | | What is a Chrome-based browser? Isn't Chrome Google's Chromium based browser? How many are based on Chrome? | | |
| ▲ | Panda4 8 hours ago | parent | next [-] | | > This means every user visiting LinkedIn with Chrome, Edge, Brave, Opera, Arc, or any other Chromium-based browser is subject to the scan. | | |
| ▲ | dylan604 7 hours ago | parent [-] | | Exactly, so again, what is a Chrome-based browser? | | |
| ▲ | Sohcahtoa82 5 hours ago | parent [-] | | A lot of people mistakenly refer to Chromium-based browsers as being Chrome-based. I feel like this is obvious and you know that this is the exact mistake being made, but rather than drop an actual correction, you take the insufferable approach of pretending you don't know what's happening and forming the correction as a question. | | |
| ▲ | JumpCrisscross 5 hours ago | parent [-] | | > A lot of people mistakenly refer to Chromium-based browsers as being Chrome-based This seems to be a case where the poison seeps through the cracks. From Google and Chrome to other Chromium-based browsers. In very correct ways, in this case, they are Chrome based. |
|
|
| |
| ▲ | andersonpico 8 hours ago | parent | prev [-] | | From "The Attack: How it works", its just checking the user agent string: function a() {
return "undefined" != typeof window
&& window
&& "node" !== window.appEnvironment;
} function s() {
return window?.navigator?.userAgent?.indexOf("Chrome") > -1;
} if (!a() || !s()) return; |
|
|
|
| ▲ | thom 8 hours ago | parent | prev | next [-] |
| I was under the impression Firefox randomises extension IDs on install, so hopefully not? |
|
| ▲ | hedora 7 hours ago | parent | prev | next [-] |
| The answer to "why would Chrome ever undermine privacy and security?" is always "Google's revenue stream". I'm happy to see that this doesn't hit firefox. I wonder if safari is impacted. |
|
| ▲ | Raed667 8 hours ago | parent | prev [-] |
| they seem to be calling `chrome-extension://.....` so i don't think it applies to firefox |
