I’ve started publishing my “extension security basics” article series. First article takes apart a very simple extension. Two more are already written, quite a few more are planned.
Continuing with this article series. This time I’m discussing the potential impact of various extension privileges if these fall into the wrong hands. That’s the last preparation article, next time it’s going to be about actual vulnerabilities.
Some insight from my extension survey here as well: popular extensions are way more likely to relax Content Security Policy protection and to add 'unsafe-eval'. When looking at extensions with more than 100k users, more than 15% of them do this!
Next article, continuing to look at potential attacks on extension pages. This time looking at web-accessible pages, this allows for lots of potential mischief. So the article covers lots of ground. Hopefully still comprehensible this way.
A Mastodon instance for info/cyber security-minded people.