You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
@@ -9,7 +9,7 @@ They have since added guidelines for Chrome Extension VRP <https://bughunters.go
Notes:
- Content scripts exist in an [isolated world](https://chromium.googlesource.com/chromium/src/+/master/third_party/blink/renderer/bindings/core/v8/V8BindingDesign.md#world) but run in the same process as the attacker-controlled website. They can be attacked via [Meltdown/Spectre](https://chromium.googlesource.com/chromium/src/+/master/docs/security/side-channel-threat-model.md) or a [compromised renderer](https://chromium.googlesource.com/chromium/src/+/master/docs/security/compromised-renderers.md) some extensions may allow for bypassing site isolation this way.
- Background scripts using `XMLHttpRequest` will send cookies as if `xhr.withCredentials = true`; even if it's false and are able to read whatever the extension has access to.
-`chrome.storage` can't be trusted [1227410 - New Extension API function `chrome.storage.setAccessLevel` - chromium](https://issues.chromium.org/issues/40189208)
-`chrome.storage` can't be trusted [40189208 - New Extension API function `chrome.storage.setAccessLevel` - chromium](https://issues.chromium.org/issues/40189208)
- CSP prevents some XSS :(
-`MessageSender.origin` doesn't exist on Firefox so you may need to use the URL.
- Compromised renderers that never run a content script shouldn't be able to spoof `runtime.sendMessage`
