Chrome扩展程序是否可以访问Chrome应用程序? [英] Do Chrome extensions have access to Chrome apps?
问题描述
出于安全考虑,我想知道Chrome扩展程序是否可以访问应用程序。我设计了一款处理敏感数据的Chrome应用程序。据我了解,该应用程序运行在一个相当孤立的沙盒环境中。如果用户错误地安装了恶意Chrome扩展程序,该扩展程序是否可以拦截/修改应用程序中的任何敏感数据?
请注意,我确实不考虑Chrome环境以外的其他截取方式,例如某些病毒允许某人获得root访问权限或类似权限。我只想了解Chrome应用程序在多大程度上比标准独立应用程序更容易被拦截。塞巴斯蒂安
<一方面,即使使用
调试器,扩展程序也无法在默认环境中触摸应用程序的窗口(如在,检查/脚本注入中) 权限。你的本地数据应该是安全的。 另一方面,我测试了它并得出结论 webRequest API 会捕获您发送的所有XHR 。
这包括请求和响应以及请求正文的标头。答复机构目前无法查阅;然而,恶意扩展程序可以执行重定向,修改您的请求或取消它。 视为安全问题;从Chrome 45开始,扩展程序无法再拦截其他扩展程序和应用程序的流量。托管的应用程序也意外包含在内,但这是一个错误,将即将修复 - 托管应用的流量将照常开放至 webRequest 。
我不知道其他可能性的扩展窥探应用程序(没有任何异常 chrome:// flag 配置)。
For security considerations I am wondering if Chrome extensions had access to an app. I design a Chrome App which handles sensitive data. As far as I understand it, that app runs in a sandboxed environment which should be fairly isolated. If a user had by mistake installed a malicious Chrome extension, would that extension be able to intercept/modify any of the sensitive data in the app?
Please note that I do not consider other ways of interceptions outside of the Chrome environment, e.g. some virus that allows someone to get root access or alike. I would just like to understand to what degree a Chrome app is more susceptible to interception than a standard stand-alone application.
Sebastian
On one hand, extensions cannot touch your app's windows (as in, inspection / script injection) in the default environment, even with "debugger" permission. Your "local" data should be safe.
On the other, I tested it and conclude that webRequest API will catch all XHRs you send.
This includes headers for both request and response, and request body. Response body is currently not available for inspection; however, a malicious extension can perform a redirect, modify your request or cancel it.
This was deemed a security issue; as of Chrome 45, extensions can no longer intercept traffic from other extensions and apps. Hosted apps were accidentally included too, but it's a bug that will be fixed soon - traffic from hosted apps will be open to webRequest as normal.
I don't know any other possibility for an extension to snoop on an app (without any anomalous chrome://flag configuration).
这篇关于Chrome扩展程序是否可以访问Chrome应用程序?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
