Comment #22 on issue 27431 by [email protected]: Special extension install mode for gallery http://code.google.com/p/chromium/issues/detail?id=27431
Omaha approach definitely rules out some of the attacks. The only thing that we need to be careful about using Omaha is how calls are made to them. Since Omaha's interface will be open, any local process will be allowed to install the extension -lower risk assuming compromised renderer is not allowed to call Omaha. How are extensions handled today if Chrome is a machine install and not a user install? Re: vulnerability 1 mention above: This is a non-issue once the XSRF protection I suggested above is added to the download links. The crx link in the description comments will not have the XSRF token. Another interesting case which I have not got time to try out yet is : what if I write an extension that requests permissions to chrome.google.com and then try to install other extensions with forged referrers! -- You received this message because you are listed in the owner or CC fields of this issue, or because you starred this issue. You may adjust your issue notification preferences at: http://code.google.com/hosting/settings -- Automated mail from issue updates at http://crbug.com/ Subscription options: http://groups.google.com/group/chromium-bugs
