UPDATE: Actually Chrome Extensions do ask you for a permission, when you install them to have privileged access to certain domains, which they couldn’t access due to Cross Domain Origin Policy. However this just means, that e.g. they cannot do e.g. a POST to yourbank.com, if you hadn’t allowed them. But nothing hinders them to spy on your passwords, etc.
This is a fast writeup of what came to my mind today. As the Browser is always more becoming a Platform for “Applications” (Extensions) to run on, I started thinking about some security implications today.
I am using the Google Chrome Extension API lately to develop for a Google Chrome Extension.
Background pages and content scripts are actually a big security flaw. Just immagine only some things they can do:
- open and close tabs in the background
- click ok for you somewhere in a page (e.g. while you are authorizing someone via oAuth)
- listen to keystrokes
- make cross-domain XMLHTTPRequests in the background using or transmitting your session secret and/or banks mobile TAN.
I think Google should start allowing only signed extensions, which they have reviewed to not do any harmful stuff, similar to how Apple reviews their apps and let only signed extensions run on the Google Chrome platform. By the way the same is true other web-browsers like Firefox and IE9 too.
I think Safari is the only browser allowing only signed extensions, which is a big plus.
Comments are appreciated!