Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How does Same Origin Policy apply to browser extensions?

Tags:

same-origin-policy

google-chrome

firefox

google-chrome-extension

firefox-addon

Given a browser extension that sends information from one webpage to an entirely different server, is this violating the same origin policy?

like image 534
jacktrades Avatar asked Aug 07 '12 16:08

jacktrades

People also ask

What is the same-origin policy in Web browsers?

The same-origin policy is a critical security mechanism that restricts how a document or script loaded by one origin can interact with a resource from another origin. It helps isolate potentially malicious documents, reducing possible attack vectors.

Does same-origin policy apply to subdomains?

The Basics of the Same-Origin Policy One such restriction is that scrips executing on http://example.com are not allowed to access resources on http://subdomain.example.com . Restrictions are applied based on the document's origin where an origin is defined in RFC 6454 Section 4.

How does XSS Bypass same-origin policy?

XSS is essentially a full SOP bypass because Javascript that runs on page A would operate under the security context of page A. This means that if an attacker is able to get a malicious script executed on the victim page, the script can access the page's resources and data.

How do you solve the same-origin policy?

Changing Origin Occasionally, the same origin policy may block requests between subdomains on the same domain. The easiest way to solve this problem is to set document. domain from within JavaScript.

1 Answers

The same-origin policy (SOP) appplies to ordinary web pages, not browser extensions, even if they are written in JavaScript. What does "different server" mean when the extension code does not origingate from a server? (The extension script might have some kind of orgin, like chrome-extension://longhashidentificationstr, but not an traditional domain/origin.) To communicate with any Web page (except those that have CORS headers), the extension cannot be bound by the SOP.

Extensions don't exactly "violate" the SOP; instead, the SOP does not apply to them. The SOP is designed to limit damage that can be caused by a compromised or malicious Web page. Viewing a web page should require zero trust in the page, since it is so easy to visit a Web page. However, installing an extension is something users do less frequently and has larger impact on the user, so it's not unreasonable to require some trust in the extension.

like image 193
apsillers Avatar answered Sep 22 '22 11:09

apsillers
Sign in to Comment

Related questions

Is there ANY way to suppress the browser's login prompt on 401 response when using XmlHttpRequest
CSS page-break-after and float not playing nicely?
Firefox 3 vs Firefox 4 development difference?
Doing Ajax updates in SVG breaks getBBox, is there a workaround?
@font face rules loading fonts twice?
How to remove the strange border from shadow in Firefox?
knockout.js and Firefox Save Passwords on login form
How do I get a specific error for corrupt Firefox extensions?
Chrome/Firefox do not retain cookies when invoked via (Watir-)Webdriver?
CSS3 unicode-range does not work in Firefox
Transform origin on SVGs in Firefox
html geolocation: Unknown error acquiring position
Set a default character-encoding to UTF-8 in Mozilla Firefox
Selenium webdriver: firefox headless inject javascript to modify browser property
Firefox plugin that intercepts certain HTTP requests
IFrame Back button
CSS dotted border issue in adjacent columns in a table rendered as dash in Chrome
Firefox extension: Cancel requests and emit fake responses
Never-ending "Connecting" message after AJAX form submit
webdriver target="_blank"

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!