What is the most secure way of passing messages between an injected script and Google Chrome extension code/content script?

Question

Definitions: Please note from the outset that by 'injected script', 'extension code' and 'content script' I will be using the definitions provided in the excellent first answer to this question.

Assumption: Handling confidential information is less secure if I do it directly within my injected script (in the web zone) than if I do it within the chrome:// zone of content scripts and extension code. I therefore should use message passing to send confidential information from the web zone to the chrome:// zone for it to be handled.

Question: I'm building a Google Chrome extension where I need to run some operations on sensitive user data derived from my injected script. The data in question is confidential and I must do all I can to ensure that it can't be seen by anyone but the user of the extension until I've operated on it. Of the 3 techniques (defined below) that can be used to pass messages between an injected script and extension code/content script which would be best for this purpose?

My understanding of the 3 different techniques that can be used for passing data between an injected script and extension code/content script:

1. For messaging passing between an injected script and extension code (e.g. a background page), one can use the chrome.runtime API.

2. For messaging passing between an injected script and a content script one can use window.postMessage.

3. Another way of passing messages between an injected script and a content script is via document.dispatchEvent(CustomEvent).

My understanding is that method 1. cannot be used for message passing between an injected script and a content script while methods 2. and 3. cannot be used for message passing between an injected script and extension code (unless the message is forwarded by the content script to, for example, a background page).

Answer 1

While code running in your background page / content script is pretty well isolated, as soon as you inject a script into the page context - you're in the Wild West. Any extension, and the page itself, has access to that context and can influence how your code executes.

For example, some extension can override chrome.runtime.sendMessage to send the message AND log it. This needs to be seriously taken into account - probably, you already lost.

That said, method 1 is harder to break into than 2/3 - as explained, the attacker extension would need to directly alter the page context to interfere, while in case of DOM events it can just listen to them from the safety of its content script - events are broadcast to all content script contexts.

Hypothetically, you could employ some sort of asymmetric cryptography for the channel as well - provide the injected script with the encryption key and keep the decryption key in the privileged zone. That safeguards the communication, if that's the only thing intercepted, but at some point the plaintext data exists in the global context - that may be enough for the attacker script to extract (that, you have to assume, executed before your injected script).