| ▲ | thrdbndndn 3 hours ago | |
Very good write up but I lost it a little at the end. Could someone clarify for me? The author said: You cannot just use the shortcut trick to install the evil extension directly because of new publisher trust system; You can bypass this by using local workspace extensions which has no publisher screening, but CSP blocks it; The solution seems to be that installing a local workspace extension which binds a shortcut of 'install extension without checking publisher'. So I assume it means: 1. you need two extensions, 1st one is local and only for the keybinding, and 2nd one is the 'real' evil one and it doesn't need to (actually can't, because of CSP) be local anymore? 2. the CSP only prevents the JS in local extension but nothing about its package.json (or the ability to add shortcuts), right? | ||
| ▲ | ammar2 3 hours ago | parent [-] | |
1 and 2 are correct, take a look at the PoC repo here: https://github.com/ammaraskar/github-dev-token-steal-poc/tre... We can try to just put a `my-extension/extension.js` for the most direct execution but the CSP blocks that. It's only a script-src CSP blocking it though, so fetching the package.json is still kosher. So we end up using it to contribute a keybinding instead. | ||