Hacker News new | past | comments | ask | show | jobs | submit login

This, just like Mozilla’s screenshot addon, and all the other examples, shows why it’s an insane idea to mix addon content with the websites, and why it’s important to make sure that addon content can run on the UI layer of the browser, and not within of the content of the sites.

Relying on "best practices" is always a security disaster waiting to happen, if you don’t enforce security and separation in the design of the APIs and languages already, you won’t get security.




> it’s important to make sure that addon content can run on the UI layer of the browser, and not within of the content of the sites

I don't get this thinking at all. Browser addons are trusted. That's the point - they have special privileges to adjust browser behaviour.

If you go around installing malicious addons, you get no more sympathy from me than if you'd gone around installing malicious kernel modules.


The problem is the opposite.

For example, Firefox’ screenshot addon would inject HTML into the page, and then the page could take the screenshot’s data and use it.

Addons currently have no way to reliably display their own UI on top of the page, without the page intercepting it.


Oh, right, I didn't get that from your original comment.

I agree, addons' workings shouldn't be exposed to untrusted websites.


Wouldn’t such a restriction eliminate the main selling point of extensions, which is that they can modify content on the page?

The extension permissions API already offers enough restrictions. As a user, I simply do not install extensions that need access to all pages, or I only enable them on pages where I need them.


Extensions modifying pages is fine, but often an extension wants to show custom UI on top of the page.

It’d be much more secure to allow the extension to do that without requiring it to put this into the page.

For example, currently you have the DOM of the page, and the extension’s UI is injected into it.

It would be preferable if you’d treat each tab as if it was like

    <tab>
      <browser src="actualpage"/>
      <overlay src="extension1"/>
    </tab>

This way an extension that wants to show secure UI on top could do it, and style it, but without it being accessible to the page itself.


Some extensions like Google Inbox for Chrome will inject a single `iframe` that points to a `chrome-extension://` page, so while the page might notice the element, it can't access its content.

I think you could use the Shadow DOM in closed mode to prevent any information from leaking. [1]

[1]: https://blog.revillweb.com/open-vs-closed-shadow-dom-9f3d742...


Pages sadly could still detect this content, and change their behaviour based on it.

Ideally you’d want to allow addons to modify pages in a way that pages can not detect or interfere with.

(e.g., some newspapers used to run JS to remove the AdBlock "block this" UI whenever you tried to remove an ad)


That only works for extensions that want to show their content in a separate overlay layer from the page. If the extension wants to show its content inline with the page's elements, pushing the page's elements out of the way and freely flowing with the page's elements, then that doesn't exactly work.

An extension can stuff its UI within an iframe that the host page can't manipulate, but that does come with some UI limitations.


Still, it’d be a major improvement over what we have today.


As long as the extension UI is rendered where the page can also render something, it will be vulnerable to phishing. E.g. https://www.seancassidy.me/lostpass.html


Correct, that’s why it’d be preferable to have it handled in the browser itself.

If it’s a message in the browser chrome itself, and not as <div> in the page, it is possible to add distinguishing UI.

With the current system, it’s literally impossible to distinguish the UI


Chrome has extension popups that kind of do this - they are pointed to the icon in the extension bar. Does Firefox have anything like that?


Yes, Firefox has the same – but they’re obviously not optimal in the context of a page.


Where can read about the "Mozilla’s screenshot addon" you mentioned?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: