I wanted to bring up this question because I haven't gotten a lot of feedback on this issue.
So we have the extension, code here:
It's basically all one file so we should be able to come to a reasonable conclusion on this approach.
The idea is that no forem should be able to see that someone is a member of other forems. I don't entirely know if this current approach is sound, but it's premised on the idea that the
content.js file can read from
chrome.storage, but the webpage cannot— and that the content we create is plopped in an iframe, which cannot be accessed by the rest of the page.
And if this is correct, could we then store API keys in the extension in order to speak to the various apps to get notifications etc?
Top comments (2)
Content scripts are like any other script running on your app and so they have access to your entire site from a client-side perspective. This also means that malicious things can potentially happen in content scripts as well.
A better way to handle this is use the content script sparingly, mainly for messaging and UI and move the heavy lifting to the background script.
From the Chrome Extension Stay Secure page, "Sensitive work should be performed in a dedicated process, such as the extension's background script"
A benefit of doing this as well, is that your extension will potentially run faster, since most of the heavy lifting is in the background script, which will only be loaded when needed.
Also, follow the principle of least privilege. This ensures that only the absolutely necessary permissions for the extension are granted.
From the Content scripts link
And from the Security page
It seems like the current functionality is duly safe because the code doesn't rely on anything in the DOM for its functionality. But we might as well move to use the background scripts for most of the work just because that's the better longterm approach.