loading...

Is the approach to privacy within the forem browser extension valid?

ben profile image Ben Halpern ・1 min read

I wanted to bring up this question because I haven't gotten a lot of feedback on this issue.

So we have the extension, code here:

https://github.com/forem/forem-browser-extension

It's basically all one file so we should be able to come to a reasonable conclusion on this approach.

The idea is that no forem should be able to see that someone is a member of other forems. I don't entirely know if this current approach is sound, but it's premised on the idea that the content.js file can read from chrome.storage, but the webpage cannot— and that the content we create is plopped in an iframe, which cannot be accessed by the rest of the page.

And if this is correct, could we then store API keys in the extension in order to speak to the various apps to get notifications etc?

This issue...

https://github.com/forem/forem-browser-extension/issues/3

Thanks

Discussion

pic
Editor guide
 

Content scripts are like any other script running on your app and so they have access to your entire site from a client-side perspective. This also means that malicious things can potentially happen in content scripts as well.

A better way to handle this is use the content script sparingly, mainly for messaging and UI and move the heavy lifting to the background script.

From the Chrome Extension Stay Secure page, "Sensitive work should be performed in a dedicated process, such as the extension's background script"

A benefit of doing this as well, is that your extension will potentially run faster, since most of the heavy lifting is in the background script, which will only be loaded when needed.

Also, follow the principle of least privilege. This ensures that only the absolutely necessary permissions for the extension are granted.

 

From the Content scripts link

Content scripts can access Chrome APIs used by their parent extension by exchanging messages with the extension. They can also access the URL of an extension's file with chrome.runtime.getURL() and use the result the same as other URLs.

And also

Isolated worlds do not allow for content scripts, the extension, and the web page to access any variables or functions created by the others. This also gives content scripts the ability to enable functionality that should not be accessible to the web page.

And from the Security page

Content scripts are the only part of an extension that interacts directly with the web page. Because of this, hostile web pages may manipulate parts of the DOM the content script depends on, or exploit surprising web standard behavior, such as named items.
To interact with DOM of web pages, content scripts need to execute in the same renderer process as the web page. This makes content scripts vulnerable to leaking data via side channel attacks (e.g., Spectre), and to being taken over by an attacker if a malicious web page compromises the renderer process.

It seems like the current functionality is duly safe because the code doesn't rely on anything in the DOM for its functionality. But we might as well move to use the background scripts for most of the work just because that's the better longterm approach.