So the follow up question, is why is a random website, allowed to try and load arbitrary files?

stingraycharles 3 hours ago | parent | next [-]

This is how I interpreted the original question and indeed it makes no sense, JavaScript from a website should not be allowed to interact with extensions like this.

▲

flomo 2 hours ago | parent | next [-]

It's actually the extension injecting itself into the webpage, often to interact with it. (I imagine much of this is just looking for global ExtensionName objects.)

	▲	angoragoats an hour ago \| parent [-]
		Actually, the article is clear about what is happening technically, and it’s both. Chrome does, in fact, allow the page to make requests for resources stored in the extension bundle, and this is one of the two fingerprinting methods that the article describes.

▲

encom 32 minutes ago | parent | prev [-]

>JavaScript from a website should not be allowed

Agreed 100%.

▲

sigmoid10 2 hours ago | parent | prev | next [-]

Chrome exposes these files via a URL that you can fetch in javascript like you would any other file on a normal website. These local extension files usually contain code, styles or images that your browser needs to run the extensions.

	▲	pbhjpbhj 13 minutes ago \| parent [-]
		Why is it not a CORS violation? The browser needing access and a random website having access are quite different. Seems like a big ol' pile of vulns waiting to happen.

▲

mschuster91 2 hours ago | parent | prev [-]

Because extensions can and often do contain stuff like images or JS bundles that they inject into a target page's DOM. Not allowing a tab's context to load files from the chrome-extension:// namespace would break a lot of things.