What is the safest way to pass messages between the entered script and the Google Chrome rich script / code?

Question

What is the safest way to pass messages between the entered script and the Google Chrome rich script / code?

Definitions: Please note that with the “entered script”, “extension code” and “script content” I will use the definitions presented in the excellent first answer to this question .

Assumption: Processing confidential information is less secure if I do it directly in my nested script (in the web zone) than if I did it in the chrome: // content zone and extension code. Therefore, I must use messaging to send sensitive information from the web zone to the chrome: // zone to process it.

Question: I am creating a Google Chrome extension where I need to perform some operations with confidential user data obtained from my entered script. This data is confidential, and I must do everything possible to make sure that it cannot be seen by anyone other than the extension user until I work on it. Of the 3 methods (defined below) that can be used to pass messages between the entered script and the extension code / content of the script, which would be best suited for this purpose?

My understanding of three different methods that can be used to transfer data between a nested script and a script code / content extension:

You can use the chrome.runtime API to exchange messages between the entered script and the extension code (for example, the man page).
You can use window.postMessage to exchange messages between the embedded script and the script content.
Another way to pass messages between the entered script and the script content is document.dispatchEvent (CustomEvent) .

I understand that method 1. cannot be used to transfer messages between the embedded script and the script content, while methods 2. and 3. cannot be used to transfer messages between the entered script and the extension code (if the message is not forwarded by the script content, for example, on the man page).

+5

javascript security google-chrome google-chrome-extension message-passing

user5508297 Jul 11 '16 at 14:09

source share

1 answer

Xan · Accepted Answer · 2016-07-11T15:00:04+0000

Although the code running on your background page / content script is pretty well isolated, once you enter the script in the page context, you are in the Wild West. Any extension and the page itself has access to this context and can affect how your code is executed.

For example, some extension may override chrome.runtime.sendMessage to send a message AND register it. This must be taken seriously - you may already have lost it.

However, method 1 is harder to crack than 2/3 - as explained, the attacker’s extension will have to directly change the page context in order to intervene, whereas in the case of DOM events, he can just listen to them from the security of his script contents - events are sent to all script context contexts.

Hypothetically, you could use some asymmetric cryptography for the channel, and also - enter the encryption key entered by the script and save the decryption key in the privileged zone. This protects the message if it is the only thing intercepted, but at some point the plaintext data exists in a global context - this may be enough for the attacker to retrieve the script (which you must accept by executing the script before your injection).

What is the safest way to pass messages between the entered script and the Google Chrome rich script / code?

More articles: