Updates:
Cc: [email protected]
Comment #10 on issue 27431 by scarybeasts: Special extension install mode
for gallery
http://code.google.com/p/chromium/issues/detail?id=27431
[+sumit who was also consulting on this]
@Charlie: we did worry extensively about the impact of XSS, and yes -- a
silent
install from the gallery could be effected. Accordingly, the following
mitigations
were put in place:
- The Chrome gallery runs over https (only!) on its own semi-exclusive
subdomain:
https://chrome.google.com/extensions. (That said, our latest dev release
appears
broken in that the above URL is just a redirect to
http://www.google.com/ :( )
- We requested/required that the server-side code for the gallery uses a
suitable
auto-escaping template technology.
- Any highly dangerous extension (such as one containing an NPAPI plugin)
won't be
auto-installable.
Yes, we should use STS for the gallery page. Please file a bug :) We should
roll out
any defensive header we think might be useful. We already have
X-Frame-Options: DENY
as far as I know.
--
You received this message because you are listed in the owner
or CC fields of this issue, or because you starred this issue.
You may adjust your issue notification preferences at:
http://code.google.com/hosting/settings
--
Automated mail from issue updates at http://crbug.com/
Subscription options: http://groups.google.com/group/chromium-bugs
