Yes, this really is a tough one. I guess the script could also change the action of a form etc
If it is possible to classify data as "user data", ie something that has been entered by the user (inc form autofill), then a security capability be required to pass that back to the background page, or form URL's from it etc. I guess changing the action of a form would also need to be controlled. But how many other ways round this are there, is this feasible? Even if the above worked and stopped passwords being stolen, it could still perform actions as you once you've logged into a website, eg. send spam, transfer money etc. Maybe need to worry about one problem at a time though. Or could content scripts be disabled for certain websites, eg. internet banking. I was thinking this could be signalled by the site itself, however I guess all sites will start flagging it to stop advert blockers etc. Maybe a simpler and more effective approach? Is it worth recording this potential threat as a bug? L On Jan 2, 12:43 am, Aaron Boodman <[email protected]> wrote: > On Fri, Jan 1, 2010 at 12:36 PM, Laurence <[email protected]> wrote: > > above this is not as simple as it seems. My second though: an > > additional capability is required to pass any data from a content > > script to XHR. > > There are many ways to pass data from a content script to a foreign > server besides XHR. For example, you can create an image tag and pass > the data in the src attribute querystring. You can create a link tag > and simulate a click on it. Etc. > > There have been thoughts down this path before, but nobody has ever > come up with a way to prevent data from going from web page to evil > servers that still allowed most valid use cases. > > Suggestions welcome, though. > > - a -- You received this message because you are subscribed to the Google Groups "Chromium-extensions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/chromium-extensions?hl=en.
